Re: TCP Split Handshake and Nmap

[jah <jah () zadkiel plus com>]

Fyodor, All,

I've had a crack at it:

Current Nmap, five-way handshake:

nmap -sS -p8080 -Pn -n --max-retries 0 -d 192.168.1.21
...
Received scan response with unexpected TCP flags: 16
Received scan response with unexpected TCP flags: 2
...
PORT     STATE    SERVICE    REASON
8080/tcp filtered http-proxy no-response

Current Nmap, four-way handshake:

...
Received scan response with unexpected TCP flags: 2
...
PORT     STATE    SERVICE    REASON
8080/tcp filtered http-proxy no-response

Patched Nmap, five-way handshake:

...
Received scan response with unexpected TCP flags: 16
Discovered open port 8080/tcp on 192.168.1.21
...
PORT     STATE SERVICE    REASON
8080/tcp open  http-proxy split-handshake-syn

Patched Nmap, four-way handshake:

...
Discovered open port 8080/tcp on 192.168.1.21
...
PORT     STATE SERVICE    REASON
8080/tcp open  http-proxy split-handshake-syn

The attached patch does very little work since the split handshake SYN
passes the existing checks for dest port matching a probe source port;
it adds a test for the SYN flag right after the test for SYN|ACK for SYN
scans. Adding the reason code was a bit of a headfuck, but I seem to
have managed it without breaking anything (a echo request ping still
yields an echo-reply as the reason, for instance).
What do you think about the choice of reason string?

I've also attached the fakestack ruby script for your convenience.  The
four-way handshake is achieved by commenting-out two lines of the script
as per the comment above them, otherwise it does the five-way.  The
script comments describe its dependencies and I think the following
packages are needed in addition:
libpcap
libpcap-dev
ruby
ruby-dev
libpcap-ruby
irb

Regards,

jah

Attachment: fakestack.rb
Description:

Attachment: split.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/