Kris Katterjohn wrote:
> Do you pick up a SYN from the hosts as well? The RFC says it should go
> like this:
>
> A -> B (SYN sequence number X)
> A <- B (ACK sequence number X)
> A <- B (SYN sequence number Y)
> A -> B (ACK sequence number Y)
>
> But, the middle two can get combined as a SYN/ACK packet, hence the
> three-way handshake. If you get a SYN as well, then this will start to
> make a little more sense, but should(?) still be wrong.
>
I've not seen a SYN coming from the remote host in this situation.
However, since the ACK triggers a RESET from my local system this might
be the reason. It's not likely though since the ACK and SYN should have
been sent at the same time and I should have seen it arrive. It's too
bad I cannot reproduce the issue when testing manually with netcat and
hping2.
> What OS's are these hosts running? Is it the same on all of them?
>
I don't know what these remote hosts are running. I've seen the issue
with different hosts on the same network. It could be an active device
in front of the real servers acting this way..
--
Richard van den Berg
Senior Consultant, INS
E-mail: richard.vandenberg_at_ins.com
Mobile: +31 (0)6-52071109
PGP Key ID: 0x6614D2AC
Fingerprint: 6829 0AD3 2F49 6D83 B65E E235 B8D3 8299 6614 D2AC
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Feb 04 2007
Intro
