Nmap Development mailing list archives
Re: Maybe bug, with -sP und ASA sending RST for denied networks
From: Pluto <pluto () stderr de>
Date: Fri, 26 Oct 2007 14:50:59 +0200
On Wed, Oct 24, 2007 at 02:59:36PM -0400, Dario Ciccarone (dciccaro) wrote:
Hm. If "ASA" refers to the Cisco Adaptive Security Appliance, there is a possible explanation - whoever configured the device enabled the "service resetinbound" option: http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1. html#wp1348346 The ICMP probe might then be dropped, and the probe to 80/tcp replied with an RST. Hard then to determine what is going on just by looking at a packet capture and with no additional info. My money would be on "resetinbound" plus ACL dropping ICMP echo request. But it could also be that the ruleset drops indeed ICMP echo request, but has an entry that says "permit tcp any host X" - and host X isn't actually listening on 80/tcp.
Actually it would be possible to detect such a behaviour, as in my experience this devices are before a firewall, so nmap usually sees very much RSTs, like ping is dead *and* all scanned ports are "closed", which is odd and could be noticed. Other thing is, when the TTL of the RST is lower than the TTL of a SYN-ACK this could be noticed by nmap as well. With hping you get to see this details, so can differentiate manually. Gruss -- Pluto - SysAdmin of Hades Free information! Freedom through knowledge. Wisdom for all!! =:-) PGP://0xB4BBB4A9?524CB500A8F3EAA2&6A3E5272F9072A17 ICQ: 286852401 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Maybe bug, with -sP und ASA sending RST for denied networks Pluto (Oct 20)
- Re: Maybe bug, with -sP und ASA sending RST for denied networks Fyodor (Oct 22)
- Re: Maybe bug, with -sP und ASA sending RST for denied networks Pluto (Oct 24)
- RE: Maybe bug, with -sP und ASA sending RST for denied networks Dario Ciccarone (dciccaro) (Oct 24)
- Re: Maybe bug, with -sP und ASA sending RST for denied networks Pluto (Oct 26)
- RE: Maybe bug, with -sP und ASA sending RST for denied networks Dario Ciccarone (dciccaro) (Oct 26)
- Re: Maybe bug, with -sP und ASA sending RST for denied networks Fyodor (Oct 22)