Home page logo

pen-test logo Penetration Testing mailing list archives

Re: tcp oddities.
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 14 Sep 2004 22:36:58 -0500

On Tue, 2004-09-14 at 09:29, Josh Nunan wrote:
After syn-scanning an IP block, I noticed that an ip
address in the dns records as a mail server did not
have tcp/25 open... I telnet'd to it... and to my
suprise there was an smtp server sitting on port 25.

It looks like you have an IPS (or smart firewall) inline between
yourself and the mail server. The difference between the nmap SYN packet
and your TCP connect SYN packet is that the nmap SYN packet has a small
window size (1024) whereas your connect attempt sends a SYN packet with
a "normal" window size. Also, the SYN scan SYN packet does not include a
TCP option header that advertises the maximum segment size while the
connect SYN packet does.

So it would appear that you have an intelligent device that is able to
distinguish between an "nmap scan" (window=1024, no MSS) and a normal
connection attempt (window>1024, MSS present and >0).

Which means that for the rest of your engagement you might want to use
connect scans instead of just SYN scans :)


Attachment: signature.asc
Description: This is a digitally signed message part

  By Date           By Thread  

Current thread:
  • tcp oddities. Josh Nunan (Sep 15)
    • Re: tcp oddities. Frank Knobbe (Sep 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]