Re: nmap or a rat in the set

[Lamont Granquist <lamontg () raven genome washington edu>]

On Tue, 16 Feb 1999, KHOO Guan Chen wrote:
> When I tcp scan one port I find that my syslog will report connection
> refused from 4 ports. For example:-
>
> [root@daisy]# nmap -sF -p12345 localhost
>
> Starting nmap V. 2.07 by Fyodor (fyodor () dhp com, www.insecure.org/nmap/)
> No ports open for host localhost (127.0.0.1)
> Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
>
> [root@daisy]# tail /var/log/messages
>
> <snip>
>
> Feb 15 14:28:00 daisy kernel: sec: TCP connection rejected from 127.0.0.1,
> port 
> 80

This is the port 80 ACK 'ping' scan that nmap does.  Look at the -PI, -PT
and -PB options.

> Feb 15 14:28:00 daisy kernel: sec: TCP connection rejected from 127.0.0.1,
> port 
> 45549

I'm not sure what this is.  If your kernel generates a RST for the port 80
packet instead of dropping it, it might be this reply, but i don't see why
that wouldn't have caused another reply and a little TCP loopback storm...

> Feb 15 14:28:00 daisy kernel: sec: TCP connection rejected from 127.0.0.1,
> port 
> 12345

This is the actual scan packet.

> Feb 15 14:28:00 daisy kernel: sec: TCP connection rejected from
> 127.0.0.1, port 45529

And this looks like another bounce, or something...

> It does not matter which port I specify, I will always get a reject for
> port 80 also.
>
> UDP scan also produced funny results.
[...snip...]

> Doesn't matter what port I specify. I will get connection rejected from
> port 80.
>
> Can someone be kind enough to straighten me out? 

use -PI if you don't want port 80 hits.  the port 80 ACK scan is to get by
firewalls and packet filters that drop ICMP.

-- 
Lamont Granquist                       lamontg () raven genome washington edu
Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka