Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: RE: Maybe bug, with -sP und ASA sending RST for denied networks

RE: Maybe bug, with -sP und ASA sending RST for denied networks

From: Dario Ciccarone (dciccaro) <dciccaro_at_cisco.com>
Date: Wed, 24 Oct 2007 14:59:36 -0400

Hm. If "ASA" refers to the Cisco Adaptive Security Appliance, there is a
possible explanation - whoever configured the device enabled the
"service resetinbound" option:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.
html#wp1348346

The ICMP probe might then be dropped, and the probe to 80/tcp replied
with an RST. Hard then to determine what is going on just by looking at
a packet capture and with no additional info. My money would be on
"resetinbound" plus ACL dropping ICMP echo request. But it could also be
that the ruleset drops indeed ICMP echo request, but has an entry that
says "permit tcp any host X" - and host X isn't actually listening on
80/tcp.

Dario
 

> -----Original Message-----
> From: nmap-dev-bounces_at_insecure.org
> [mailto:nmap-dev-bounces_at_insecure.org] On Behalf Of Fyodor
> Sent: Monday, October 22, 2007 7:47 PM
> To: Pluto
> Cc: nmap-dev_at_insecure.org
> Subject: Re: Maybe bug, with -sP und ASA sending RST for
> denied networks
>
> On Thu, Oct 18, 2007 at 11:22:01AM +0200, Pluto wrote:
> > Salve,
> >
> > maybe old stuff, just happened to me and can't find
> something in the docs
> > or elsewhere. When dong the -sP with an ASA in between you
> and the target,
> > the tcp-syn on port 80 will be answered by a RST from the
> ASA, thereby making
> > nmap think the host is responding and alive. Of course the
> results of such
> > a scan are basically useless then.
> >
> > Would it be possible to ignore RST in such a szenario? Or
> have a command
> > line switch to trigger this?
>
> That can be a problem with port 80. You may want to try a different
> type of ping scan (such as ICMP only) or change the TCP ping probe
> port(s).
>
> -F
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org
>

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Oct 24 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]