Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Patch: Setting the flags for Idlescan
From: Kurt Grutzmacher <grutz () jingojango net>
Date: Thu, 16 Mar 2006 16:55:53 -0800

On Mar 16, 2006, at 4:17 PM, Fyodor wrote:

On Thu, Mar 16, 2006 at 03:51:31PM -0800, Kurt Grutzmacher wrote:
Here's a minor option addition to set nmap's Idle scan (-sI) flags. Modified the --scanflags parser to add some common words (SYNACK, PUSHACK). I did
this while researching Marco Ivaldi's bugtraq post here:

I saw that post and it is definitely interesting.  Would you try
posting your patch again?  Maybe you forgot to attach it, or maybe it
was sent with a mime type that this list doesn't allow.  Renaming it
with a .txt extension often helps mailers figure out that it is text/*
rather than application/*.

Gmail attachments! Bah humbug but I'll try from here instead renamed .txt

While your patch would be useful for people testing this and related
issues, I'm not sure it is neede for the main Nmap distribution.  In
Marco's post, he notes that Nmap works unmodified since it already
sends SYN/ACK.  Before adding a new option to change that probe
to use different flags, I'd like to see at least one case where it
would help.  And remember that the target machine will be sending back
SYN/ACK packets no matter what our initial probe uses.

Certainly it is great for testing purposes and I'm not sure if there are a lot of uses outside as most machines I've tried to use Idlescan for have worked with just SYN/ACK. I am curious how many others are out there that may work as well. It was a quick mod to a couple of lines and has worked well in my tests.

I have found a couple cases where SYNACK will not work but just ACK will:

Zombie is listening on TCP port 55, it's being forwarded via iptables to another port on the same machine (22). If I send SYN/ACK (tcpflags 18) packets I get no response from the zombie. If I send ACK (tcpflags 16) packets I get RST from the zombie and the scan works.


SENT (0.4320s) TCP xx.yy.zz.ME:44951 > xx.yy.zz.ZOMBIE:55 SA ttl=53 id=32040 iplen=44 seq=3245032422 win=2048 ack=278882775 Idlescan zombie xx.yy.zz.ZOMBIE (xx.yy.zz.ZOMBIE) port 55 cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled.


SENT (0.1810s) TCP xx.yy.zz.ME:45762 > xx.yy.zz.ZOMBIE:55 A ttl=58 id=4557 iplen=44 seq=395955956 win=3072 ack=3026693419 RCVD (0.1810s) TCP xx.yy.zz.ZOMBIE:55 > xx.yy.zz.ME:45762 R ttl=64 id=54084 iplen=40 seq=3026693419 win=0 Idlescan using zombie xx.yy.zz.ZOMBIE (xx.yy.zz.ZOMBIE:55); Class: Incremental

Certainly a unique situation but still possible.

Attachment: nmap-4.02Alpha2-idleflags.diff.txt

Sent through the nmap-dev mailing list

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]