Nmap Development mailing list archives
Re: TCP Split Handshake and Nmap
From: Fyodor <fyodor () insecure org>
Date: Thu, 3 Jun 2010 21:56:37 -0700
On Thu, Jun 03, 2010 at 09:53:45PM -0700, Fyodor wrote:
On Thu, Jun 03, 2010 at 01:19:15AM +0100, jah wrote: It is the SYN without an ACK that we should concern ourself with (step three in Figure 4, step two in Figure 5). We won't have an ACK number to verify, but we should still make sure the dst and src ports match the proper values. I think this would be a very small change to Nmap. Anyone want to give it a shot? It is important that you test the change--the paper includes a simple ruby script (which you combine with an iptables rule) to do this. The patch should include a short comment noting why this is being done, and providing a link to the paper[1].
Oh, and yes, Jah, we should definitely include a new --reason value for this. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- TCP Split Handshake and Nmap jah (Jun 02)
- what is ER_INITACK? jah (Jun 02)
- Re: TCP Split Handshake and Nmap Fyodor (Jun 03)
- Re: TCP Split Handshake and Nmap Fyodor (Jun 03)
- Re: TCP Split Handshake and Nmap jah (Jun 04)
- Re: TCP Split Handshake and Nmap Fyodor (Jun 07)
- Re: TCP Split Handshake and Nmap jah (Jun 07)
- Re: TCP Split Handshake and Nmap David Fifield (Jun 08)
- Re: TCP Split Handshake and Nmap jah (Jun 08)
- Re: TCP Split Handshake and Nmap David Fifield (Jun 08)
- Re: TCP Split Handshake and Nmap Fyodor (Jun 10)