mailing list archives
Re: Patch: Setting the flags for Idlescan
From: Kurt Grutzmacher <grutz () jingojango net>
Date: Thu, 16 Mar 2006 16:55:53 -0800
On Mar 16, 2006, at 4:17 PM, Fyodor wrote:
On Thu, Mar 16, 2006 at 03:51:31PM -0800, Kurt Grutzmacher wrote:
Here's a minor option addition to set nmap's Idle scan (-sI)
the --scanflags parser to add some common words (SYNACK, PUSHACK).
this while researching Marco Ivaldi's bugtraq post here:
I saw that post and it is definitely interesting. Would you try
posting your patch again? Maybe you forgot to attach it, or maybe it
was sent with a mime type that this list doesn't allow. Renaming it
with a .txt extension often helps mailers figure out that it is text/*
rather than application/*.
Gmail attachments! Bah humbug but I'll try from here instead
While your patch would be useful for people testing this and related
issues, I'm not sure it is neede for the main Nmap distribution. In
Marco's post, he notes that Nmap works unmodified since it already
sends SYN/ACK. Before adding a new option to change that probe
to use different flags, I'd like to see at least one case where it
would help. And remember that the target machine will be sending back
SYN/ACK packets no matter what our initial probe uses.
Certainly it is great for testing purposes and I'm not sure if there
are a lot of uses outside as most machines I've tried to use Idlescan
for have worked with just SYN/ACK. I am curious how many others are
out there that may work as well. It was a quick mod to a couple of
lines and has worked well in my tests.
I have found a couple cases where SYNACK will not work but just ACK
Zombie is listening on TCP port 55, it's being forwarded via iptables
to another port on the same machine (22). If I send SYN/ACK (tcpflags
18) packets I get no response from the zombie. If I send ACK
(tcpflags 16) packets I get RST from the zombie and the scan works.
SENT (0.4320s) TCP xx.yy.zz.ME:44951 > xx.yy.zz.ZOMBIE:55 SA ttl=53
id=32040 iplen=44 seq=3245032422 win=2048 ack=278882775
Idlescan zombie xx.yy.zz.ZOMBIE (xx.yy.zz.ZOMBIE) port 55 cannot be
used because it has not returned any of our probes -- perhaps it is
down or firewalled.
SENT (0.1810s) TCP xx.yy.zz.ME:45762 > xx.yy.zz.ZOMBIE:55 A ttl=58
id=4557 iplen=44 seq=395955956 win=3072 ack=3026693419
RCVD (0.1810s) TCP xx.yy.zz.ZOMBIE:55 > xx.yy.zz.ME:45762 R ttl=64
id=54084 iplen=40 seq=3026693419 win=0
Idlescan using zombie xx.yy.zz.ZOMBIE (xx.yy.zz.ZOMBIE:55); Class:
Certainly a unique situation but still possible.
Sent through the nmap-dev mailing list