Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Help me Obi-Wan Kenobi. You're my only hope! (Need your help understanding the ACK scan.)

From: Daniel Lowrie <daniellowrie290 () gmail com>
Date: Wed, 29 Jun 2016 21:09:34 -0400
Dear NMAP Dev team, and/or Fyodor,

I have been struggling with understanding the nmap -sA scan for the last
week and I could really use your help. According to the documentation, nmap
can distinguish stateful firewalls from stateless firewalls by using the
-sA or ACK scan, but I'm at a loss as to how one would discern that fact
from the nmap output of an ACK scan.

I understand that nmap sends ACK flagged packets to the target and the
target will respond or not respond based off certain criteria. 1) Target
will respond with RST if port is open or closed and unfiltered. 2) Target
will NOT respond at all if filter is DROPPING traffic 3) Target will send
ICMP error message if filter is REJECTING traffic

That being true, then nmap will report any port that responds with RST as
*unfiltered* and all the other ports as *filtered*. This looks something
like this... (using IPTABLES firewall with stateless rule(s) )

$ sudo nmap -sA -T4 192.168.219.135

Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-28 16:35 EDT
Nmap scan report for metasploitable (192.168.219.135)
Host is up (0.00027s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE
22/tcp unfiltered ssh
25/tcp unfiltered smtp
53/tcp unfiltered domain
70/tcp unfiltered gopher
80/tcp unfiltered http
113/tcp unfiltered ident
MAC Address: 00:0C:29:B7:F7:70 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 4.40 seconds

Based off of that output, how would one discern whether this was stateful
or stateless?

I've been reading everything I can on the subject, including the nmap book,
and none of the examples makes sense to me. This is basically the same
output as example 10.2 in the nmap book; in fact it is almost identical!
The problem is that the nmap book states that this is the output from nmap
that targeted a host running IPTABLES with STATEFUL rules!

If I can get the same output from a stateless firewall as I can from a
stateful firewall, then how am I supposed to tell from the nmap ACK scan
which firewall I'm encountering?

I'm super frustrated and I really appreciate any help sent my way. If you
can't answer, I understand, but if you can I would be forever in your debt.

Sincerely,

Daniel Lowrie

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: