Richard van den Berg wrote:
> I am scanning a fairly large network using -sS and I have some hosts
> respond to nmap's SYN packet with only an ACK. I know this is a strange
> way to behave for a host. Has anyone ever seens this before? It seems
> intermittent because when I scan the host a second time, all is good.
> Even when I craft the exact same packets using hping2, the host will
> responds with SYN ACK (as it should).
>
> The thing is, nmap 4.20 never reacts to these ACK packet. The port shows
> up as filtered, and is not used to send TCP probes to either. I am not
> sure what "state" nmap should give to such a port. Maybe open|filtered ?
>
Hi
Do you pick up a SYN from the hosts as well? The RFC says it should go
like this:
A -> B (SYN sequence number X)
A <- B (ACK sequence number X)
A <- B (SYN sequence number Y)
A -> B (ACK sequence number Y)
But, the middle two can get combined as a SYN/ACK packet, hence the
three-way handshake. If you get a SYN as well, then this will start to
make a little more sense, but should(?) still be wrong.
What OS's are these hosts running? Is it the same on all of them?
Thanks,
Kris Katterjohn
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Feb 03 2007
Intro
