Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

NMAP : Different interpretation of "filtered" ports depending on -sS

from [S C] Network Security [Permanent Link]
Subject: NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?
Date: 7 Jan 2005 09:39:43 -0000 


Hi
 
When scanning machine B  (IP=192.168.254.10, no firewall on this machine and no 
application listening on port 136) with NMAP (NMAP on machine A), NMAP gives me 
two different output depending on the options (-sS or -sT).
 

1/    When the command line is : nmap.exe -sS -p 135-136 -P0 192.168.254.10
 
The output is : 
Port          State      Service
135/tcp      open      msrpc
136/tcp      closed    profile
 
I made a dump of packet generated by NMAP with Ethereal
No     Source                  Destination            Protocol                
Info
1       192.168.254.2        192.168.254.10      TCP                      3501 

135    [SYN]

2       192.168.254.10      192.168.254.2        TCP                      135   

3501  [SYN, ACK]

3       192.168.254.2        192.168.254.10      TCP                      3501 

135    [RST]

4       192.168.254.2        192.168.254.10      TCP                      3501 

136    [SYN]

5       192.168.254.10      192.168.254.2        TCP                      136  

3501   [RST, ACK]

 

2/     When the command line is : nmap.exe -sT -p 135-136 -P0 192.168.254.10
 
The output is : 
Port           State      Service
135/tcp      open       msrpc
136/tcp      filtered     profile
 
I made a dump of packet generated by NMAP with Ethereal
No     Source               Destination             Protocol     Info
1       192.168.254.2     192.168.254.10       TCP          4101 > 136  [SYN]
2       192.168.254.10   192.168.254.2         TCP          136  > 4101 [RST, 
ACK]
3       192.168.254.2     192.168.254.10       TCP          4102 > 135 [SYN]
4       192.168.254.10   192.168.254.2         TCP          135  > 4102 [SYN, 
ACK]
5       192.168.254.2     192.168.254.10       TCP          4102 > 135 [ACK]
6       192.168.254.2     192.168.254.10       TCP          4102 > 135 [RST, 
ACK]
7       192.168.254.2     192.168.254.10       TCP          4103 > 136 [SYN]
8       192.168.254.10   192.168.254.2         TCP          136  > 4103 [RST, 
ACK]
 
If we look at packets corresponding to port 136, the packet sequence is always 
(independently I use the -sS or -sT options) :
 A > B [SYN]
 B < A [RST, ACK]
 
So my question is :
Why NMAP say that port 136 is closed in case 1/, and filtered in case 2/ 
whereas the packet generated are the same ?
Is this a bug ? or do I forget something ?
 
Thanks for your responses..
 
SC
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?, S C <=
Previous by Date:  ssh key problem, Thomas Reinhold
Next by Date:  Re: Wireless Security Testing Guidelines, Ivan Coric
Previous by Thread:  ssh key problem, Thomas Reinhold
Next by Thread:  Source Port 0 Host Sweep, JM
Indexes:  [Date] [Thread] [Top] [All Lists]