Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Help understanding a trace of an nmap scan
From: Martin Wasson <martin_wasson () mastercard com>
Date: Wed, 8 Sep 2004 14:12:35 -0500






Well, it looks to me like it's going down like this:

14:16:23.428150 host.name.deleted.1073 > other.host.name.daytime: S
2950063922:2950063922(0) win 5840 <mss >>1460,sackOK,timestamp 51097216
0,nop,wscale 0> (DF)

14:16:23.438150 other.host.name.daytime > host.name.deleted.1073: S
1866105343:1866105343(0) ack 2950063923 win >>5792 <mss
1460,sackOK,timestamp 138541011 51097216,nop,wscale 0> (DF)

14:16:23.438150 host.name.deleted.1073 > other.host.name.daytime: . ack 1
win 5840 <nop,nop,timestamp 51097217 >>138541011> (DF)

14:16:23.438150 host.name.deleted.1073 > other.host.name.daytime: R
1:1(0) ack 1 win 5840 <nop,nop,timestamp >>51097217 138541011> (DF)

You're doing a connect scan, so NMAP performs a full connect with the Syn
--  Syn Ack  --  Ack  three way handshake, right.  So NMAP now knows
everything it needs to know about the daytime port...it's up, it's
answering.  So it sends a "reset" packet, because it's threw with that
port.  NMAP was sent to get data, and it's not playing nicely.  So it
performs an "abortive release" with the RST packet, instead of performing
an "orderly release" with a FIN.  Plus, you want NMAP to be fast, right?
NMAP was programmed with the knowledge that an abortive release only takes
ONE packet; a single RST.  Resets are designed to elicit no response,
whatsoever.  It's when you just get the "Dear John" letter instead of your
girlfriend saying "we need to talk".  Heh heh.  So if NMAP has a choice to
either send a FIN, go into a FIN_WAIT state and wait for an ACK and then a
FIN, and then send a final ACK, OR just dump the whole session with a
single RST, the choice is quite clear.  It sends the "Dear John" RESET.
Note that NMAP is providing the target with everything it needs to know; it
has a sequence number and provides an ACK.  Also note that in the second
packet (the SYN - ACK from the target to the host), the target is expecting
byte 2950063923 to be delivered next, but the sequence number it got in the
RST was 1.


Interesting ports on other.host.name (194.153.168.235)

%host 194.153.168.235
235.168.153.194.in-addr.arpa domain name pointer five.fluff.org.
%sed -e "s/other.host.name./five.fluff.org./g" < nmap.out


14:16:23.448150 five.fluff.org.daytime > host.name.deleted.1073: P
1:27(26) ack 1 win 5792 <nop,nop,timestamp >>138541012 51097217> (DF)

But alas, the target TCP doesn't want to accept the fact that it's all
over.  It still has 26 bytes of data in its send buffer that it wants to
clear.  So it sends the data and turns on the PUSH flag.

14:16:23.448150 host.name.deleted.1073 > five.fluff.org.daytime: R
2950063923:2950063923(0) win 0 (DF)

Again, not interested in long goodbyes, NMAP attempts to abort the session
with a RESET packet, but this time it uses the sequence number the target
is expecting, not a sequence number of 1.

14:16:23.448150 five.fluff.org.daytime > host.name.deleted.1073: F
27:27(0) ack 1 win 5792 <nop,nop,timestamp >>138541012 51097217> (DF)

Where this FIN ACK comes from, I honestly don't know.  The target has
received no FIN to FIN ACK, but it DID get the sequence number it was
expecting, so that may be why.

14:16:23.448150 host.name.deleted.1073 > five.fluff.org.daytime: R
2950063923:2950063923(0) win 0 (DF)

Again, the attack box repeats the RST because resets are designed NOT to
elicit a response.


That's my take.  Hope it helps.



Marty Wasson, CISSP



                                                                                                                        
               
                      Richard Moore                                                                                     
               
                      <rich () westpoint l        To:       pen-test () securityfocus com                               
                     
                      td.uk>                   cc:       (bcc: Martin Wasson/STL/MASTERCARD)                            
               
                                               Subject:  Help understanding a trace of an nmap scan                     
               
                      09/06/2004 09:11                                                                                  
               
                      AM                                                                                                
               
                                                                                                                        
               
                                                                                                                        
               




I wonder if anyone can help me make sense of this packet trace. It shows
nmap running a connect scan against port 13 of a host. The part I don't
understand is why there are 3 RST packets sent to the target machine?

If it helps anyone the target host is a Debian box running 2.4.26 Linux
kernel and the source machine was a RedHat box running 2.4.7-10. The
version of nmap used is 3.48.

Cheers

Rich.
--
Richard Moore, Principle Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031

14:16:23.098150 host.name.deleted > other.host.name: icmp: echo request
14:16:23.108150 host.name.deleted.45639 > other.host.name.http: . ack
901588830 win 1024
14:16:23.108150 other.host.name > host.name.deleted: icmp: echo reply
14:16:23.108150 other.host.name.http > host.name.deleted.45639: R
901588830:901588830(0) win 0 (DF)
14:16:23.428150 host.name.deleted.1073 > other.host.name.daytime: S
2950063922:2950063922(0) win 5840 <mss 1460,sackOK,timestamp 51097216
0,nop,wscale 0> (DF)
14:16:23.438150 other.host.name.daytime > host.name.deleted.1073: S
1866105343:1866105343(0) ack 2950063923 win 5792 <mss 1460,sackOK,timestamp
138541011 51097216,nop,wscale 0> (DF)
14:16:23.438150 host.name.deleted.1073 > other.host.name.daytime: . ack 1
win 5840 <nop,nop,timestamp 51097217 138541011> (DF)
14:16:23.438150 host.name.deleted.1073 > other.host.name.daytime: R 1:1(0)
ack 1 win 5840 <nop,nop,timestamp 51097217 138541011> (DF)
Interesting ports on other.host.name (194.153.168.235):
14:16:23.448150 other.host.name.daytime > host.name.deleted.1073: P
1:27(26) ack 1 win 5792 <nop,nop,timestamp 138541012 51097217> (DF)
14:16:23.448150 host.name.deleted.1073 > other.host.name.daytime: R
2950063923:2950063923(0) win 0 (DF)
14:16:23.448150 other.host.name.daytime > host.name.deleted.1073: F
27:27(0) ack 1 win 5792 <nop,nop,timestamp 138541012 51097217> (DF)
14:16:23.448150 host.name.deleted.1073 > other.host.name.daytime: R
2950063923:2950063923(0) win 0 (DF)

------------------------------------------------------------------------------

Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------



-----------------------------------------
CONFIDENTIALITY NOTICE  This e-mail message and any attachments are only
for the use of the intended recipient and may contain information that is
privileged, confidential or exempt from disclosure under applicable law.
If you are not the intended recipient, any disclosure, distribution or
other use of this e-mail message or attachments is prohibited.  If you have
received this e-mail message in error, please delete and notify the sender
immediately. Thank you.


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault