Re: scanme.insecure.org TCP handshake (3.59ALPHA7: About to go gold)

[Martin Mačok <martin.macok () underground cz>]

On Mon, Aug 30, 2004 at 09:30:45PM -0700, Fyodor wrote:

> > % tethereal host scanme.insecure.org
> > Capturing on eth0
> >   0.000000 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [SYN] Seq=3600912504 Ack=0 Win=4096 Len=0
> >   0.205689 205.217.153.55 -> 193.84.252.200 TCP ssh > 44746 [SYN, ACK] Seq=2649899160 Ack=3600912505 Win=5840 Len=0 
> > MSS=1460
> >   0.205728 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [RST] Seq=3600912505 Ack=0 Win=0 Len=0
> >   4.251337 205.217.153.55 -> 193.84.252.200 TCP ssh > 44746 [SYN, ACK] Seq=2649899160 Ack=3600912505 Win=5840 Len=0 
> > MSS=1460
> >   4.251355 193.84.252.200 -> 205.217.153.55 TCP 44746 > ssh [RST] Seq=3600912505 Ack=0 Win=0 Len=0
> >  10.042602 205.217.153.55 -> 193.84.252.200 TCP ssh > 53802 [SYN, ACK] Seq=2628604108 Ack=4037269348 Win=5840 Len=0 
> > MSS=1460
> >  10.042622 193.84.252.200 -> 205.217.153.55 TCP 53802 > ssh [RST] Seq=4037269348 Ack=0 Win=0 Len=0
>
> Is tethereal running on the source host?

Yes.

> Maybe the RST isn't making its way to the destination because of
> host firewall rules on the src host?

No, this is probably not the case, because I have tested it against
different targets from different sources and completely different
networks and the problem really seems to be only with the target
host/network.

Anyway, same problem is with www.insecure.org (tested on port 80).

> Have you tried running this on the target to see whether the RST
> packets show up?

I have not tried running tcpdump on scanme.insecure.org (yet :-)) but
I have sent RST packets to different targets over the Internet and
checked they were delivered.

Martin Mačok
IT Security Consultant

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org