Your guidance was very very helpful. I did what you recommended and I ended up with some interesting results. When I use connect() type of scan I get port 80 open from google. But when I try the syn-connect scan nmap reports the port as filtered. Here are the result for tcp syn scan.
C:\>nmap -sS -P0 -p 80 www.google.com --packet-trace
Starting Nmap 4.20 ( http://insecure.org ) at 2007-03-04 12:27 FLE Standard Time
Warning: Hostname www.google.com resolves to 4 IPs. Using 209.85.135.103.
NSOCK (0.1090s) UDP connection requested to 192.168.201.250:53 (IOD #1) EID 8
NSOCK (0.1090s) Read request from IOD #1 [192.168.201.250:53] (timeout: -1ms) EI
D 18
NSOCK (0.1250s) UDP connection requested to 192.168.200.1:53 (IOD #2) EID 24
NSOCK (0.1250s) Read request from IOD #2 [192.168.200.1:53] (timeout: -1ms) EID
34
NSOCK (0.1250s) UDP connection requested to 87.120.131.1:53 (IOD #3) EID 40
NSOCK (0.1250s) Read request from IOD #3 [87.120.131.1:53] (timeout: -1ms) EID 5
0
NSOCK (0.1250s) UDP connection requested to 87.120.131.2:53 (IOD #4) EID 56
NSOCK (0.1250s) Read request from IOD #4 [87.120.131.2:53] (timeout: -1ms) EID 6
6
NSOCK (0.1410s) UDP connection requested to 192.92.192.1:53 (IOD #5) EID 72
NSOCK (0.1410s) Read request from IOD #5 [192.92.192.1:53] (timeout: -1ms) EID 8
2
NSOCK (0.1410s) Write request for 45 bytes to IOD #1 EID 91 [192.168.201.250:53]
: E............103.135.85.209.in-addr.arpa.....
NSOCK (0.1410s) nsock_loop() started (timeout=500ms). 11 events pending
NSOCK (0.1410s) Callback: CONNECT SUCCESS for EID 72 [192.92.192.1:53]
NSOCK (0.1410s) Callback: CONNECT SUCCESS for EID 56 [87.120.131.2:53]
NSOCK (0.1410s) Callback: CONNECT SUCCESS for EID 40 [87.120.131.1:53]
NSOCK (0.1410s) Callback: CONNECT SUCCESS for EID 24 [192.168.200.1:53]
NSOCK (0.1410s) Callback: CONNECT SUCCESS for EID 8 [192.168.201.250:53]
NSOCK (0.1410s) Callback: WRITE SUCCESS for EID 91 [192.168.201.250:53]
NSOCK (0.1410s) Callback: READ SUCCESS for EID 18 [192.168.201.250:53] (216 byte
s)
NSOCK (0.1410s) Read request from IOD #1 [192.168.201.250:53] (timeout: -1ms) EI
D 98
SENT (0.3590s) TCP 87.120.136.237:50399 > 209.85.135.103:80 S ttl=47 id=450 iple
n=44 seq=1786596582 win=4096 <mss 1460>
SENT (1.3750s) TCP 87.120.136.237:50400 > 209.85.135.103:80 S ttl=59 id=26861 ip
len=44 seq=1786531047 win=4096 <mss 1460>
Interesting ports on mu-in-f103.google.com (209.85.135.103):
PORT STATE SERVICE
80/tcp filtered http
Nmap finished: 1 IP address (1 host up) scanned in 2.406 seconds
Here is a default scan:
C:\>nmap -sS -P0 google.com
Starting Nmap 4.20 ( http://insecure.org ) at 2007-03-04 12:31 FLE Standard Tim
Warning: Hostname google.com resolves to 3 IPs. Using 64.233.187.99.
Stats: 0:00:20 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
All 1697 scanned ports on jc-in-f99.google.com (64.233.187.99) are filtered
Nmap finished: 1 IP address (1 host up) scanned in 348.516 seconds
Without the -P0 option nmap reports that the machines are down. Any ideas how to "fix" the -sS scan ?
Regards.
>-------- Оригинално писмо --------
>От: Brandon Enright <bmenrigh_at_ucsd.edu>
>Относно: Re: NMAP scan problems
>До: Lord Doskias <lorddoskias_at_abv.bg>
>Изпратено на: Неделя, 2007, Март 4 00:59:54 GMT+02:00
>----------------------------------
>
>On Sat, 3 Mar 2007 21:12:32 +0200 (GMT+02:00)
>Lord Doskias <lorddoskias_at_abv.bg> wrote:
>
>> Hello again,
>>
>>
>> I think I've got some clues on the problem. I think the isp is blocking
>> all "malicious" packets - eg. packets that are not from "established"
>> type of connection or that don't seem to establish real one. After all
>> nmap is not using "valid" tcp/udp packets. So is there a way to force
>> nmap to use valid tcp/udp packets?
>>
>> -----------------------------------------------------------------
>> http://auto-motor-und-sport.bg/
>> С бензин в кръвта
>>
>
>Nmap *does* use "valid" TCP packets for most of the scan types. If it
>didn't, it would not be able to reliably port scan. Only the "fancier"
>scans like -s[NFX] or -O[12]? use odd TCP packets to derive useful
>information.
>
>Starting in 4.01 Nmap sets the TCP MSS option to 1460 for all SYN packets.
>This makes an Nmap connect look nearly identical to any other operating
>system connect. If you ISP is filtering is it probably based on a
>rate-limit or a behavior detection. Using -sT (or not running
>privileged) stop Nmap from cooking it's own packets and it just uses the OS
>Connect() call.
>
>Try:
>
>$ telnet www.google.com 80
>
>If that works (and it should) then try:
>
>$ nmap -sT -P0 -p 80 www.google.com
>
>The two are functionally identical. Nmap should report port 80 as open.
>
>You can then start experimenting with things like:
>
># nmap -sS -P0 -p 80 www.google.com
>
>or
>
>$ nmap -sT -P0 -p 1-100 www.google.com
>
>
>If you get unexpected results from any of these add a --packet-trace to the
>command to see what is going on.
>
>Brandon
>
>
>--
>Brandon Enright
>Network Security Analyst
>UCSD ACS/Network Operations
>bmenrigh_at_ucsd.edu
>
>_______________________________________________
>Sent through the nmap-dev mailing list
>http://cgi.insecure.org/mailman/listinfo/nmap-dev
>Archived at http://SecLists.Org
>
-----------------------------------------------------------------
http://auto-motor-und-sport.bg/
С бензин в кръвта
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Mar 04 2007
Intro
