Home page logo
/

nmap-dev logo Nmap Development mailing list archives

nmap 4: Still no MSS in SYN scans?
From: Juergen Schmidt <ju () heisec de>
Date: Wed, 1 Feb 2006 14:01:41 +0100 (CET)

Hello,

in November I reported, that nmap SYN scans can be easily detected and blocked,
because they do not set TCP MSS. All TCP/IP implementations I checked, do
set MSS on the initial SYN packet of a new TCP connection.

See:

http://seclists.org/lists/nmap-dev/2005/Oct-Dec/0113.html

As far as I can see, there is still no option to set MSS on SYN scans
in nmap 4. Or did I miss something?

Are there any plans to include an option, that sets the MSS on the syn
packets generated for TCP syn scans?

To recap a short POC:
---
# ./nmap -p 22,23 -sS thor

Starting Nmap 4.00 ...
Interesting ports on thor ...:
PORT   STATE  SERVICE
22/tcp open   ssh
23/tcp closed telnet

========
thor# iptables -I INPUT -p tcp --syn  --tcp-option \! 2 -j DROP
========

# ./nmap -p 22,23 -sS thor
...
PORT   STATE    SERVICE
22/tcp filtered ssh
23/tcp filtered telnet

# ./nmap -p 22,23 -sT thor
...
PORT   STATE  SERVICE
22/tcp open   ssh
23/tcp closed telnet
-------


As you can see, after setting the iptables rule, nmap -sS reports the
ports as filtered but they are in fact open/closed -- as shown by the last
connect scan. I can connect via ssh too.

bye, ju

-- 
Juergen Schmidt       Chefredakteur  heise Security     www.heisec.de
Heise Zeitschriften Verlag,    Helstorferstr. 7,       D-30625 Hannover
Tel. +49 511 5352 300      FAX +49 511 5352 417       EMail ju () heisec de
GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault