Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: NMAP : Different interpretation of "filtered" ports depending on

from [SandroMelo-CSO] Network Security [Permanent Link]
Subject: Re: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?
Date: Tue, 11 Jan 2005 17:09:46 -0200 
Jeff Gercken

For port scanning with techincal TCP/SYN

nmap send one packet with SYN flags, if receive SYN/ACK open else, if receive RST closed.

nmap -sS -P0 -n  -p<port or range port> <host target>


nmap send one packet with SYN flags, if receive SYN/ACK open else and send one ACK follow the one RST/ACK, if receive RST closed.

nmap -sT -P0 -n  -p<port or range port> <host target>

Look format of command:

TCP SYN

# nmap -sS -P0 -n -p135-137 --packet_trace <ip target>

TCP Vanilla Connect

# nmap -sT -P0 -n -p135-137 --packet_trace <ip target>

Bye

Sandro Melo

Which version of Nm

\\

ap?  What OS is it running on?  Is it a virtual
machine?

With nmap 3.55 on Gentoo 2004.3 w/ kernel 2.4.25 I get:

nmap -sT -P0 -p135-136 spork
135/tcp open   msrpc
136/tcp closed profile

nmap -sS -P0 -p135-136 spork
135/tcp open   msrpc
136/tcp closed profile

-Jeff

-----Original Message-----
From: S C [mailto:contrera@eig.unige.ch] Sent: Friday, January 07, 2005 11:40 AM
To: focus-linux@securityfocus.com
Subject: NMAP : Different interpretation of "filtered" ports depending
on -sS or -sT options. Bug ?



Hi



When scanning machine B  (IP=192.168.254.10, no firewall on this machine
and no application listening on port 136) with NMAP (NMAP on machine A),
NMAP gives me two different output depending on the options (-sS or
-sT).





1/    When the command line is : nmap.exe -sS -p 135-136 -P0
192.168.254.10



The output is : 

Port          State      Service

135/tcp      open      msrpc

136/tcp      closed    profile



I made a dump of packet generated by NMAP with Ethereal

No     Source                  Destination            Protocol
Info

1       192.168.254.2        192.168.254.10      TCP
3501 > 135    [SYN]

2       192.168.254.10      192.168.254.2        TCP
135   > 3501  [SYN, ACK]

3       192.168.254.2        192.168.254.10      TCP
3501 > 135    [RST]

4       192.168.254.2        192.168.254.10      TCP
3501 > 136    [SYN]

5       192.168.254.10      192.168.254.2        TCP
136  > 3501   [RST, ACK]





2/     When the command line is : nmap.exe -sT -p 135-136 -P0
192.168.254.10



The output is : 

Port           State      Service

135/tcp      open       msrpc

136/tcp      filtered     profile



I made a dump of packet generated by NMAP with Ethereal

No     Source               Destination             Protocol     Info

1       192.168.254.2     192.168.254.10       TCP          4101 > 136
[SYN]

2       192.168.254.10   192.168.254.2         TCP          136  > 4101
[RST, ACK]

3       192.168.254.2     192.168.254.10       TCP          4102 > 135
[SYN]

4       192.168.254.10   192.168.254.2         TCP          135  > 4102
[SYN, ACK]

5       192.168.254.2     192.168.254.10       TCP          4102 > 135
[ACK]

6       192.168.254.2     192.168.254.10       TCP          4102 > 135
[RST, ACK]

7       192.168.254.2     192.168.254.10       TCP          4103 > 136
[SYN]

8       192.168.254.10   192.168.254.2         TCP          136  > 4103
[RST, ACK]



If we look at packets corresponding to port 136, the packet sequence is
always (independently I use the -sS or -sT options) :

A > B [SYN]

B < A [RST, ACK]



So my question is :

Why NMAP say that port 136 is closed in case 1/, and filtered in case 2/
whereas the packet generated are the same ?

Is this a bug ? or do I forget something ?



Thanks for your responses..



SC









[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?, Jeff Gercken
Next by Date:  Encrypted Filesystems, Tales Teixeira
Previous by Thread:  RE: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?, Jeff Gercken
Next by Thread:  Encrypted Filesystems, Tales Teixeira
Indexes:  [Date] [Thread] [Top] [All Lists]