mailing list archives
Re: TCP Split Handshake and Nmap
From: Fyodor <fyodor () insecure org>
Date: Mon, 7 Jun 2010 17:49:45 -0700
On Fri, Jun 04, 2010 at 04:22:55PM +0100, jah wrote:
I've had a crack at it:
PORT STATE SERVICE REASON
8080/tcp open http-proxy split-handshake-syn
Looks good to me! It is good that you remembered to update
ER_ICMPCODE_MOD and ER_ICMPTYPE_MOD. That part is tricky (and, I
suppose, unfortunate). The whole portreasons.h is probably more
confusing than it needs to be.
What do you think about the choice of reason string?
Well, another option would be to just put "syn" to correspond with the
other reasons like "syn-ack", but I think that approach does not
sufficiently emphasize how remarkable this case is. I also thought
about simultaneous-open-syn, as that is a valid description too. But
in the end, I think I like your split-handshake-syn best.
Please apply your patch. I have just updated the man page to reflect
this change by adding:
The port is also considered open if a SYN packet (without the ACK
flag) is received in response. This can be due to an extremely rare
TCP feature known as a simultaneous open or split handshake connection
(see <ulink url="http://nmap.org/misc/split-handshake.pdf"/>).
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/