Re: Nmap does not notice ACK packets

[Kris Katterjohn <katterjohn () gmail com>]

Richard van den Berg wrote:
> I am scanning a fairly large network using -sS and I have some hosts
> respond to nmap's SYN packet with only an ACK. I know this is a strange
> way to behave for a host. Has anyone ever seens this before? It seems
> intermittent because when I scan the host a second time, all is good.
> Even when I craft the exact same packets using hping2, the host will
> responds with SYN ACK (as it should).
>
> The thing is, nmap 4.20 never reacts to these ACK packet. The port shows
> up as filtered, and is not used to send TCP probes to either. I am not
> sure what "state" nmap should give to such a port. Maybe open|filtered ?

Hi

Do you pick up a SYN from the hosts as well? The RFC says it should go
like this:

A -> B  (SYN sequence number X)
A <- B  (ACK sequence number X)
A <- B  (SYN sequence number Y)
A -> B  (ACK sequence number Y)

But, the middle two can get combined as a SYN/ACK packet, hence the
three-way handshake. If you get a SYN as well, then this will start to
make a little more sense, but should(?) still be wrong.

What OS's are these hosts running? Is it the same on all of them?


Thanks,
Kris Katterjohn

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org