Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: TCP Split Handshake and Nmap
From: Fyodor <fyodor () insecure org>
Date: Mon, 7 Jun 2010 17:49:45 -0700

On Fri, Jun 04, 2010 at 04:22:55PM +0100, jah wrote:

I've had a crack at it:

8080/tcp open  http-proxy split-handshake-syn

Looks good to me!  It is good that you remembered to update
ER_ICMPCODE_MOD and ER_ICMPTYPE_MOD.  That part is tricky (and, I
suppose, unfortunate).  The whole portreasons.h is probably more
confusing than it needs to be.

What do you think about the choice of reason string?

Well, another option would be to just put "syn" to correspond with the
other reasons like "syn-ack", but I think that approach does not
sufficiently emphasize how remarkable this case is.  I also thought
about simultaneous-open-syn, as that is a valid description too.  But
in the end, I think I like your split-handshake-syn best.

Please apply your patch.  I have just updated the man page to reflect
this change by adding:

  The port is also considered open if a SYN packet (without the ACK
  flag) is received in response.  This can be due to an extremely rare
  TCP feature known as a simultaneous open or split handshake connection
  (see <ulink url="http://nmap.org/misc/split-handshake.pdf"/>).

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]