Nmap Announce mailing list archives
Re: ACK/th_win portscanning
From: "Keith R. Jarvis" <kjarvis () iss net>
Date: Sun, 12 Sep 1999 23:44:05 -0400 (EDT)
Here's a patch to NMAP 2.3 BETA3 which impliments -sA which is similar in function to a SYN scan, only it sends out packets with only the ACK bit set and instead of looking for SYN|ACK or RST to differentiate between open/closed ports it looks for th_win being either set (0xf000 or 0x8000) or clear (0x0000). It works against Digital Unix targets, and (i think) IRIX 5.3. It should report filtered ports correctly, unlike FIN scans. I don't think it works against Solaris, HP-UX, Linux or IRIX>5.3 targets. It is therefore of limited use, but what the hell...
Applies cleanly to BETA5, too. Works against my IRIX 5.3 machine here but not on the 6.5 machine in the other room (like you mentioned). If you don't mind me asking, what led to your uncertainty about it working against 5.3? It does seem to work against HP-UX 10.20 but not Linux 1.2.13. I didn't get a chance to get any captures, I'll try to do this and try some more machines at work tomorrow. Neat patch. - --krj -- Keith R. Jarvis (kjarvis () iss net) http://xforce.iss.net Internet Security Systems, Inc. +1-678-443-6149 (direct) Adaptive Network Security for the Enterprise +1-678-443-6479 (fax)
Current thread:
- what's -sM Darxus (Sep 10)
- Re: what's -sM Fyodor (Sep 10)
- ACK/th_win portscanning Lamont Granquist (Sep 10)
- Re: ACK/th_win portscanning Keith R. Jarvis (Sep 12)
- Re: ACK/th_win portscanning Lamont Granquist (Sep 13)
- Re: ACK/th_win portscanning Fyodor (Sep 14)
- ACK/th_win portscanning Lamont Granquist (Sep 10)
- Re: what's -sM Fyodor (Sep 10)