Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: TCP Split Handshake and Nmap
From: Fyodor <fyodor () insecure org>
Date: Thu, 10 Jun 2010 23:23:00 -0700

On Tue, Jun 08, 2010 at 11:26:43AM -0600, David Fifield wrote:
On Fri, Jun 04, 2010 at 04:22:55PM +0100, jah wrote:
The attached patch does very little work since the split handshake SYN
passes the existing checks for dest port matching a probe source port;
it adds a test for the SYN flag right after the test for SYN|ACK for SYN

+         } else if (USI->scantype == SYN_SCAN && tcp->th_flags == TH_SYN) {

Just one thing I would change here:

+         } else if (USI->scantype == SYN_SCAN && (tcp->th_flags & TH_SYN) == TH_SYN) {

That way it will work with a SYN|URG or SYN|PSH or something else silly.
Putting this test after the SYN|ACK test lets SYN|ACK continue giving
the correct reason code.

That's a great point, but it could tip the balance too far in the
other direction.  I don't think we should count a SYN|RST as open.
And I have no idea how a Linux or Windows client would treat a SYN|FIN
response.  So my suggestion is to basically do as you say, but move it
so it after the RST test as well as the SYN|ACK test.  I just checked
this patch in:

Index: scan_engine.cc
--- scan_engine.cc      (revision 18032)
+++ scan_engine.cc      (working copy)
@@ -4102,10 +4102,6 @@
            /* Yeah!  An open port */
            newstate = PORT_OPEN;
            current_reason = ER_SYNACK;
-         } else if (USI->scantype == SYN_SCAN && tcp->th_flags == TH_SYN) {
-           /* A SYN from a TCP Split Handshake - open port */
-           newstate = PORT_OPEN;
-           current_reason = ER_SYN;
          } else if (tcp->th_flags & TH_RST) {
            current_reason = ER_RESETPEER;
            if (USI->scantype == WINDOW_SCAN ) {
@@ -4113,6 +4109,10 @@
            } else if (USI->scantype == ACK_SCAN) {
              newstate = PORT_UNFILTERED;
            } else newstate = PORT_CLOSED;
+         } else if (USI->scantype == SYN_SCAN && (tcp->th_flags & TH_SYN)) {
+           /* A SYN from a TCP Split Handshake - http://nmap.org/misc/split-handshake.pdf - open port */
+           newstate = PORT_OPEN;
+           current_reason = ER_SYN;
          } else {
            if (o.debugging)
              error("Received scan response with unexpected TCP flags: %d", tcp->th_flags);

As for the name, I think split-handshake-syn is still OK.  Maybe it is
a SYN|URG or SYN|PSH, but SYN is still the operative flag here.  I
mean we often refer to RST packets when they are technically RST|ACK
because it is the RST which is important in these cases.

Perhaps I should have really moved the RST test to the very top of the
if block.  From the current code it looks like a SYN|ACK|RST would
wrongly (IMHO) be considered open.


Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]