Nmap Announce mailing list archives
More on ACK and Window scanning
From: Fyodor <fyodor () insecure org>
Date: Sun, 26 Mar 2000 15:42:31 -0800 (PST)
For what it is worth, here is a little more information on the ACK and
Window scanning available in the new version of Nmap (technically Window
scan has been there since September when Lamont posted the patch to the
list). These scan types can actually be pretty useful for testing
firewall configurations.
Here are more details (from the newest man page):
-sA ACK scan: This advanced method is usually used to
map out firewall rulesets. In particular, it can
help determine whether a firewall is stateful or
just a simple packet filter that blocks incoming
SYN packets.
This scan type sends an ACK packet (with random
looking acknowledgement/sequence numbers) to the
ports specified. If a RST comes back, the ports is
classified as "unfiltered". If nothing comes back
(or if an ICMP unreachable is returned), the port
is classified as "filtered". Note that nmap usu-
ally doesn't print "unfiltered" ports, so getting
no ports shown in the output is usually a sign that
all the probes got through (and returned RSTs).
This scan will obviously never show ports in the
"open" state.
-sW Window scan: This advanced scan is very similar to
the ACK scan, except that it can sometimes detect
open ports as well as filtered/nonfiltered due to
an anomaly in the TCP window size reporting by some
operating systems. Systems vulnerable to this
include at least some versions of AIX, Amiga, BeOS,
BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital
UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD,
OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X,
Ultrix, VAX, and VxWorks. See the nmap-hackers
mailing list archive for a full list.
Cheers,
Fyodor
Current thread:
- More on ACK and Window scanning Fyodor (Mar 26)