Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: nmap -sT localhost showing ephemeral ports?
From: Robin Wood <robin () digininja org>
Date: Wed, 12 Feb 2014 20:57:04 +0000

On 12 Feb 2014 20:27, "Fyodor" <fyodor () nmap org> wrote:

20:17:03    bonsaiviking $ <ketilmore6>  turns out the nmap -p 1-65000
finding open ports by accident because source port sometimes was equal
destination port. (birthday paradox)
20:17:07    bonsaiviking $ wtf
20:18:58    bonsaiviking $ confirmed on svn r32703
20:19:31    bonsaiviking $ but only with -sT

Yeah, Linux has long had this "feature" (I consider it a bug) where if you
attempt a connect() to a closed port on localhost, sometimes the kernel
will by luck choose the source port of the connection you're trying to
establish to be the same as the destination and you end up effectively
connected to yourself.  Anything you type is echoed back to you.

I think this should be fixed in the kernel.  It is in charge of assigning
the source port and it should check and avoid assigning the port you're
trying to connect to.  After all, it can lead to real-world problems
just port scanners like Nmap.  Suppose you have an application running on
high port and you try to connect to it.  And suppose it has crashed or
wasn't started properly.  You should get a connection refused so you know
what is going on.  Instead the connection can sometimes succeed and get in
this bizarre self-connected state.

Anyway, while I think it should be fixed in the kernel, I don't foresee
that happening.  I reported it to the Linux kernel mailing list nearly 15
years ago and offered to submit a patch, but it was shot down by David
Miller who still seems to be pretty much in charge of Linux networking.
 Here's the thread:


I'd have thought that to anyone reading your bug report it would be obvious
that there is something wrong. He is correct that it is legal to connect to
yourself he just seemed to miss the point.

Is it worth resubmitting it now you have the reputation you do and would
have quite a bit of backing?


So we should probably just work around it ourselves.  The easiest way
be to choose our own source port for each connection and bind() to it
rather than implicitly allow the kernel choose an ephemeral source port.
 We should probably only do this on Linux unless we find the problem on
other systems.  We might limit it to localhost connections too.  Of course
we'd need a loop so that if the bind fails (the port we choose might
already be in use) we can choose another one until we succeed.

You can intentionally create this sort of self-connection with Ncat by
specifying the same source and dest port:

$ ncat -v -p 31338 localhost 31338
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to
Woo!  Self-connected
Woo!  Self-connected

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]