Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Nmap/netwag problem.
From: Kaj Huisman <kaj.huisman () gmail com>
Date: Mon, 15 Aug 2005 19:12:06 +0200

Paul J Docherty wrote:
# nmap -P0 -p80,99,113 scanme.nmap.org

As you can see above, Nmap starts by sending a SYN probe back to each
of the three ports.  Port 113 replies with the RA (RST/ACK) flags and
thus is listed by Nmap as closed.  Port 80 returns SA (SYN/ACK) and so
is listed as open.  Port 99 does not reply, so Nmap retransmits after
1.1 seconds.  There is still no reply, so Nmap lists the port as

There remains a difference
# nmap -sT -P0 -p80,99,113
if syn_ack_from_server,ack_to_server, wait, port = open
if syn_rst_from_server, port = closed
else, retry x times
port = filtered
#nmap -sS -P0 -p80,99,113
if reply_from_server: syn_rst/aka closed/ do nothing
                      syn_ack/aka open/->to_server_syn_rst
else retry x times
port = filtered

While connecting an error may occur, for this example it occurs at time of the server receival of the package with ack. If i set iptables to reject input packets with the ack bit set, it would result in a 'destination port unreachable' icmp error on the receival of the ack packet from the client. Note specifically here that this packet will not get sent upon receival of a SYN-RST packet, so the -sS scan never notices. Im pretty sure -sT either reports the port as closed or as filtered in this case. Let us try.

(on 192.x.x.a)
# iptables -F
# iptables -P INPUT ACCEPT
# iptables -A INPUT -p tcp --tcp-flags ALL ACK -j REJECT

(on 192.x.x.b)
# nmap -sT 192.168.0.a
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-15 18:10 CEST
All 1663 scanned ports on 192.x.x.a are: closed
MAC Address: xx:xx:xx:xx:xx:xx (Unknown)

Nmap finished: 1 IP address (1 host up) scanned in 1.055 seconds

# nmap -sS 192.x.x.a ( http://www.insecure.org/nmap/ ) at 2005-08-15 18:10 CEST
Interesting ports on 192.x.x.a:
(The 1661 ports scanned but not shown below are in state: closed)
21/tcp open  ftp
22/tcp open  ssh
MAC Address: xx:xx:xx:xx:xx:xx (Unknown)

Nmap finished: 1 IP address (1 host up) scanned in 1.304 seconds

# telnet 192.x.x.a 21
Escape char ^H
                // <--nothing happens

This will keep the server in SYN_RECV for a bunch of minutes.

I hope this explains as of why the -sT is the most reliable method of verifying if a port is open (aka connect(); == success) or not.


We have however diverted away from the original question (about a box with port 80 and 1723 either open or filtered and ways to narrow down your results). I suggest we end this thread.


FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]