Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TCP Split Handshake and Nmap

From: Fyodor <fyodor () insecure org>
Date: Thu, 3 Jun 2010 21:56:37 -0700
On Thu, Jun 03, 2010 at 09:53:45PM -0700, Fyodor wrote:

On Thu, Jun 03, 2010 at 01:19:15AM +0100, jah wrote:
It is the SYN without an ACK that we should concern ourself with (step
three in Figure 4, step two in Figure 5).  We won't have an ACK number
to verify, but we should still make sure the dst and src ports match
the proper values.

I think this would be a very small change to Nmap.  Anyone want to
give it a shot?  It is important that you test the change--the paper
includes a simple ruby script (which you combine with an iptables
rule) to do this.  The patch should include a short comment noting why
this is being done, and providing a link to the paper[1].


Oh, and yes, Jah, we should definitely include a new --reason value
for this.

Cheers,
-F
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: