Re: Nmap bug or am I missing something.

[Lamont Granquist <lamontg () raven genome washington edu>]

On Wed, 10 Mar 1999, Frank W. Keeney wrote:
> Unfortunately nmap "incorrectly" reports all the scanned ports open. 
[...]
> nmap -sF -f -n -P0 -vv -p 20-25,250-270,5900 x.x.x.x

The problem with FIN scans is that nmap has no way to differentiate
between a packet to a closed port which was dropped due to a packet filter
or something like that and a packet to an open port which was dropped as
per a normal FIN scan.

The basic way a FIN scan works is:

1. Send FIN 
  2a. Receieve RST - port closed
  2b. Dropped packet - port open

If a packet gets dropped due to a packet filter then it gets reported as
being open.

> x.x.x.x.5900 > (nmap host).xxxx ack    (abbreviated)
> x.x.x.x.256 > (nmap host).xxxx ack
> x.x.x.x.257 > (nmap host).xxxx ack
> x.x.x.x.258 > (nmap host).xxxx ack
> x.x.x.x.259 > (nmap host).xxxx ack
>
> On the firewall ports 256-259 and 5900 are open. The response in tcpdump
> is 100%!

I don't know, but it looks like your firewall is one of the ones that
isn't fin-scannable (broken according to the RFC) and reports a RST|ACK in
response to to a FIN on an open port and then all your closed ports are
firewalled so you don't see the responses for closed ports, or
something...

Try turning off the services on one of 5900,256-259 and see if you still
get a RST|ACK to the closed port.
 
-- 
Lamont Granquist                       lamontg () raven genome washington edu
Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka