Nmap Development mailing list archives

[Patch] Port and Host State Reasons

From: "Eddie Bell" <ejlbell () gmail com>
Date: Wed, 16 May 2007 14:41:20 +0100

This patch is an updated version of one I wrote last year. Essentially
it gives you packet level detail as to why a port is deemed to be in a
particulate state. It is activated with the --reason switch and
supports all scan/ping types.

Interesting ports on scanme.nmap.org (205.217.153.62):
Not shown: 1024 open|filtered ports, 1018 filtered ports
Reason: 2042 no-responses
PORT    STATE  SERVICE REASON
22/tcp   open     ssh           syn-ack
25/tcp   closed   smtp        reset
53/tcp   open     domain    syn-ack
70/tcp   closed   gopher     reset
80/tcp   open     http         syn-ack
113/tcp closed   auth        reset

Nothing too exciting in those results but if we scan a more heavily
filtered host we can start to map out firewall rule sets and more
accurately.

Interesting ports on *.*.206.186
PORT    STATE            SERVICE      REASON
135/tcp  filtered          msrpc            admin-prohibited from *.*.206.23
136/tcp  filtered          profile            no-response
137/tcp  filtered          netbios-ns     no-response
138/tcp  filtered          netbios-dgm no-response
139/tcp  filtered          netbios-ssn   no-response

Here we can see that 136-139 are silently filtered (possible by the
host itself) yet *.*.206.23 filters msrpc.

By using traceroute, on an unfiltered port, we can see what
relationship *.*.206.23 has with *.*.206.186. It looks like this is a
gateway/firewall and we can confirm this by tracing to other nodes on
the same subnet.

TRACEROUTE (using port 21/tcp)
<snip>
22  52.01 srp0-0-0.edge1.l3.hh.*.de (*.*.206.23)
23  51.12 *.*.206.186
</snip>

TRACEROUTE (using port 21/tcp)
<snip>
22  52.01 srp0-0-0.edge1.l3.hh.*.de (*.*.206.23)
23  51.12 *.*.206.190
</snip>

This is (hopefully) a pretty simple patch but testing and suggestions
are always appreciated  :)

thanks
- eddie

Attachment: reason.patch.gz
Description:


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[Patch] Port and Host State Reasons Eddie Bell (May 16)
- Re: [Patch] Port and Host State Reasons David Fifield (May 16)
  - Re: [Patch] Port and Host State Reasons Eddie Bell (May 18)
    - RE: [Patch] Port and Host State Reasons Thomas Buchanan (May 18)
    - Re: [Patch] Port and Host State Reasons Eddie Bell (May 18)
    - Re: [Patch] Port and Host State Reasons Eddie Bell (May 19)
- Re: [Patch] Port and Host State Reasons Kris Katterjohn (May 18)
  - Re: [Patch] Port and Host State Reasons Eddie Bell (May 18)