Re: TCP Split Handshake and Nmap

[David Fifield <david () bamsoftware com>]

On Wed, Jun 09, 2010 at 12:58:38AM +0100, jah wrote:
> On 08/06/2010 18:26, David Fifield wrote:
> > On Fri, Jun 04, 2010 at 04:22:55PM +0100, jah wrote:
> >   
> > > The attached patch does very little work since the split handshake SYN
> > > passes the existing checks for dest port matching a probe source port;
> > > it adds a test for the SYN flag right after the test for SYN|ACK for SYN
> > > scans.
> > >     
> > +         } else if (USI->scantype == SYN_SCAN && tcp->th_flags == TH_SYN) {
> >
> > Just one thing I would change here:
> >
> > +         } else if (USI->scantype == SYN_SCAN && (tcp->th_flags & TH_SYN) == TH_SYN) {
> >
> > That way it will work with a SYN|URG or SYN|PSH or something else silly.
> > Putting this test after the SYN|ACK test lets SYN|ACK continue giving
> > the correct reason code.
>
> If we're going make the rule catch all resposes with the SYN bit set
> (and optionally other bits), except for SYN|ACK, perhaps the reason
> string should be changed also because "split-hanshake-syn" wouldn't then
> convey the full information.  We could instead leave the reason string
> as it is and print a message to the effect that a response received was
> evidence of a split handshake and print the tcp flag value.  Or we could
> do both and make the reason string 'syn-other' or something.

We could also add a flags member to struct port_reason to record the
flags, and then print them out separately after the reason, like we do
when handling the TTL and IP address reason information.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/