Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

RE: Bigger bug than expected?
From: "Christophe Grenier" <christophe.grenier () global-secure fr>
Date: Tue, 5 Mar 2002 11:34:16 +0100
There is NO bug.

With correct firewall rules, only TCP and SYN scan works.

  iptables -A INPUT -m state --state INVALID -m limit --limit 4/s -j LOG --log-prefix "INPUT INVALID "
  iptables -A INPUT -m state --state INVALID -j DROP
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 4/s -j LOG --log-prefix "TCP INPUT without SYN 
"
  iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A INPUT -i eth0 -j to-me
  iptables -A INPUT -i eth1 -j to-me
  iptables -A INPUT -m limit --limit 4/s -j LOG --log-prefix "INPUT bad "
  iptables -A INPUT -j DROP

where to-me is a user defined rule where you allowed connection to certains ports.

Extract from nmap documentation:

-sF -sX -sN
Stealth FIN, Xmas Tree, or Null scan modes:
<snip>
The idea is that closed ports are required to reply to your probe packet with an RST,
while open ports must ignore the packets  in question  (see RFC 793 pp 64).


Your stealth packets are dropped by the firewall, check your logs.

        Christophe

--
Global Secure
78, rue de la Condamine
75017 PARIS
Tel : 01 44 70 48 03
Fax : 01 44 70 48 49
Email : cgr () global-secure fr 


-----Message d'origine-----
De : Justin Piszcz [mailto:war () starband net]
Envoyé : jeudi 28 février 2002 13:27
À : netfilter () lists samba org
Cc : vuln-dev () securityfocus com; bugtraq () securityfocus com
Objet : Bigger bug than expected?


Further NMAP testing shows the following: (IPTables 
1.2.4/Kernel 2.4.18)

nmap -P0 -sT -p 21,80 IP
21/tcp     filtered    ftp
80/tcp     filtered    http

nmap -P0 -sF -p 21,80 IP
21/tcp     open        ftp
80/tcp     open        http

nmap -P0 -sX -p 21,80 IP
21/tcp     open        ftp
80/tcp     open        http

nmap -P0 -sN -p 21,80 IP
21/tcp     open        ftp
80/tcp     open        http

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]