Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Nmap/netwag problem.
From: Rogan Dawes <discard () dawes za net>
Date: Thu, 11 Aug 2005 08:09:05 +0200

Pete Herzog wrote:

Anyway. a 'full connect' scan (one that performs the complete three-way
handshake will _always_ (?) be the most reliable.
My sugeestion is to perform either a nmap connect scan on the ports from
both results or to manually telnet to the ports and see the response.

I have to disagree with you here.  A full connect scan is not the most
reliable.  There are many security defensive processes now which require
proper protocol queries to provide a response- I see this very often
with web ports.  If you send anything other than a http request, you
will not see a service behind the web port.

Excuse me? Are you suggesting that if I send a Syn to port 80, and don't get a Syn/Ack back, I should just go ahead and send a "GET / HTTP/1.0", in case there is some kind of application level firewall that will only pass my original Syn if it sees a valid HTTP request following it?

Sounds like someone is redefining TCP, to me!

I can't imagine any TCP/IP implementation (bar Microsoft, of course!) that would be so braindead, and would actually do anything further if the Syn/Ack was never received.

At the very least, once the full TCP connect scan has identified that there IS a service running on a particular port, you can then try to identify the service by prodding it with various protocols, and seeing which respond. I certainly agree with your statement that many services do not respond with layer 4 (?) protocol data, if the input is not well-formed.

But the original statement was with regards to identifying that a (ANY) service is actually listening on a particular port. And I tend to agree that a full connect scan is more reliable than a Syn scan.



FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]