Re: SoC: port state reasons

[Fyodor <fyodor () insecure org>]

On Sat, Jun 10, 2006 at 12:14:01PM +0200, Martin Mačok wrote:
> On Fri, Jun 09, 2006 at 03:14:14PM -0700, Fyodor wrote:
>  
> With Connect scan you can't even distinguish between RST and some ICMP
> Port Unreachable, see
>
> http://Xtrmntr.org/ORBman/tmp/nmap/nmap-3.95-CONNECT-closedfiltered.patch

Excellent point.  So I guess we probably shouldn't map ECONNREFUSED
connect() error to the reason "RST".  We should probably add a new
reason for this.  Maybe just "ECONNREFUSED".

> It would be good to not limit it to just those two fields ... IP ID,
> MSS, Timestamp or something else could be interesting too. What about
> using p0f for RST packet fingerprinting?

Good points.  Though if someone wants to get too low-level, they may
be better off using --packet-trace and a scan against whichever port
they are interested in.  Or of course they could use a lower-level
tool like hping2.  To the extent that any of these fields aren't shown
in --packet-trace output, I would be happy to accept a patch which
adds them.

Cheers,
-F


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev