Security Basics mailing list archives

NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ?

From: S C <contrera () eig unige ch>
Date: 7 Jan 2005 09:39:43 -0000



Hi
 
When scanning machine B  (IP=192.168.254.10, no firewall on this machine and no application listening on port 136) with 
NMAP (NMAP on machine A), NMAP gives me two different output depending on the options (-sS or -sT).
 

1/    When the command line is : nmap.exe -sS -p 135-136 -P0 192.168.254.10
 
The output is : 
Port          State      Service
135/tcp      open      msrpc
136/tcp      closed    profile
 
I made a dump of packet generated by NMAP with Ethereal
No     Source                  Destination            Protocol                Info
1       192.168.254.2        192.168.254.10      TCP                      3501 > 135    [SYN]
2       192.168.254.10      192.168.254.2        TCP                      135   > 3501  [SYN, ACK]
3       192.168.254.2        192.168.254.10      TCP                      3501 > 135    [RST]
4       192.168.254.2        192.168.254.10      TCP                      3501 > 136    [SYN]
5       192.168.254.10      192.168.254.2        TCP                      136  > 3501   [RST, ACK]
 

2/     When the command line is : nmap.exe -sT -p 135-136 -P0 192.168.254.10
 
The output is : 
Port           State      Service
135/tcp      open       msrpc
136/tcp      filtered     profile
 
I made a dump of packet generated by NMAP with Ethereal
No     Source               Destination             Protocol     Info
1       192.168.254.2     192.168.254.10       TCP          4101 > 136  [SYN]
2       192.168.254.10   192.168.254.2         TCP          136  > 4101 [RST, ACK]
3       192.168.254.2     192.168.254.10       TCP          4102 > 135 [SYN]
4       192.168.254.10   192.168.254.2         TCP          135  > 4102 [SYN, ACK]
5       192.168.254.2     192.168.254.10       TCP          4102 > 135 [ACK]
6       192.168.254.2     192.168.254.10       TCP          4102 > 135 [RST, ACK]
7       192.168.254.2     192.168.254.10       TCP          4103 > 136 [SYN]
8       192.168.254.10   192.168.254.2         TCP          136  > 4103 [RST, ACK]
 
If we look at packets corresponding to port 136, the packet sequence is always (independently I use the -sS or -sT 
options) :
 A > B [SYN]
 B < A [RST, ACK]
 
So my question is :
Why NMAP say that port 136 is closed in case 1/, and filtered in case 2/ whereas the packet generated are the same ?
Is this a bug ? or do I forget something ?
 
Thanks for your responses..
 
SC

Current thread:

NMAP : Different interpretation of "filtered" ports depending on -sS or -sT options. Bug ? S C (Jan 07)