Re: TCP Split Handshake and Nmap

[Fyodor <fyodor () insecure org>]

On Tue, Jun 08, 2010 at 11:26:43AM -0600, David Fifield wrote:
> On Fri, Jun 04, 2010 at 04:22:55PM +0100, jah wrote:
> > The attached patch does very little work since the split handshake SYN
> > passes the existing checks for dest port matching a probe source port;
> > it adds a test for the SYN flag right after the test for SYN|ACK for SYN
> > scans.
>
> +         } else if (USI->scantype == SYN_SCAN && tcp->th_flags == TH_SYN) {
>
> Just one thing I would change here:
>
> +         } else if (USI->scantype == SYN_SCAN && (tcp->th_flags & TH_SYN) == TH_SYN) {
>
> That way it will work with a SYN|URG or SYN|PSH or something else silly.
> Putting this test after the SYN|ACK test lets SYN|ACK continue giving
> the correct reason code.

That's a great point, but it could tip the balance too far in the
other direction.  I don't think we should count a SYN|RST as open.
And I have no idea how a Linux or Windows client would treat a SYN|FIN
response.  So my suggestion is to basically do as you say, but move it
so it after the RST test as well as the SYN|ACK test.  I just checked
this patch in:

Index: scan_engine.cc
===================================================================
--- scan_engine.cc      (revision 18032)
+++ scan_engine.cc      (working copy)
@@ -4102,10 +4102,6 @@
            /* Yeah!  An open port */
            newstate = PORT_OPEN;
            current_reason = ER_SYNACK;
-         } else if (USI->scantype == SYN_SCAN && tcp->th_flags == TH_SYN) {
-           /* A SYN from a TCP Split Handshake - open port */
-           newstate = PORT_OPEN;
-           current_reason = ER_SYN;
          } else if (tcp->th_flags & TH_RST) {
            current_reason = ER_RESETPEER;
            if (USI->scantype == WINDOW_SCAN ) {
@@ -4113,6 +4109,10 @@
            } else if (USI->scantype == ACK_SCAN) {
              newstate = PORT_UNFILTERED;
            } else newstate = PORT_CLOSED;
+         } else if (USI->scantype == SYN_SCAN && (tcp->th_flags & TH_SYN)) {
+           /* A SYN from a TCP Split Handshake - http://nmap.org/misc/split-handshake.pdf - open port */
+           newstate = PORT_OPEN;
+           current_reason = ER_SYN;
          } else {
            if (o.debugging)
              error("Received scan response with unexpected TCP flags: %d", tcp->th_flags);

As for the name, I think split-handshake-syn is still OK.  Maybe it is
a SYN|URG or SYN|PSH, but SYN is still the operative flag here.  I
mean we often refer to RST packets when they are technically RST|ACK
because it is the RST which is important in these cases.

Perhaps I should have really moved the RST test to the very top of the
if block.  From the current code it looks like a SYN|ACK|RST would
wrongly (IMHO) be considered open.

Cheers,
Fyodor


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/