Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Ncrack on exotic Windows-land
From: Rob Nicholls <robert () robnicholls co uk>
Date: Fri, 26 Jun 2009 11:32:25 +0100

I have no idea why Windows sends the RST, it shouldn't.  The only
explanation I can come up with is that Windows doesn't support one-way
TCP connections.  When I saw this I muttered some anti-Windows,
anti-Microsoft slurs and threw my hands up in disgust.

I've only tried this using ftp on the command line and quitting the FTP
server, but I only see this behaviour (the unusual RST immediately being
sent) if the Windows Firewall is enabled. If I disable it I can see the
final handshaking done properly. I'm not sure if the Windows Firewall is
behind the RST sent to the OSX clients or if this is a separate - but
similar - issue. Can either of you reproduce your issues if the Windows
Firewall is disabled?

I would imagine (for the ncrack issue) that the Windows Firewall knows that
the process has exited (and released it's connection) so it sends a reset
because even if it got a response back there wouldn't be an application
that's listening so it would just get filtered, causing the FTP server to
send more traffic trying to gracefully close the connection.

I can see why it's potentially bad for a firewall - other firewalls may do
the same? - to do this (it should only issue resets in response to a
connection request for a nonexistent connection, and shouldn't be
proactive), but I can understand what they're trying to do. I suspect we'll
have to live/deal with it, especially as the Windows Firewall is on by
default.

Rob


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]