Penetration Testing mailing list archives
Help understanding a trace of an nmap scan
From: Richard Moore <rich () westpoint ltd uk>
Date: Mon, 06 Sep 2004 15:11:07 +0100
I wonder if anyone can help me make sense of this packet trace. It shows nmap running a connect scan against port 13 of a host. The part I don't
understand is why there are 3 RST packets sent to the target machine?If it helps anyone the target host is a Debian box running 2.4.26 Linux kernel and the source machine was a RedHat box running 2.4.7-10. The
version of nmap used is 3.48. Cheers Rich. -- Richard Moore, Principle Software Engineer, Westpoint Ltd, Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England Tel: +44 161 237 1028 Fax: +44 161 237 1031
14:16:23.098150 host.name.deleted > other.host.name: icmp: echo request 14:16:23.108150 host.name.deleted.45639 > other.host.name.http: . ack 901588830 win 1024 14:16:23.108150 other.host.name > host.name.deleted: icmp: echo reply 14:16:23.108150 other.host.name.http > host.name.deleted.45639: R 901588830:901588830(0) win 0 (DF) 14:16:23.428150 host.name.deleted.1073 > other.host.name.daytime: S 2950063922:2950063922(0) win 5840 <mss 1460,sackOK,timestamp 51097216 0,nop,wscale 0> (DF) 14:16:23.438150 other.host.name.daytime > host.name.deleted.1073: S 1866105343:1866105343(0) ack 2950063923 win 5792 <mss 1460,sackOK,timestamp 138541011 51097216,nop,wscale 0> (DF) 14:16:23.438150 host.name.deleted.1073 > other.host.name.daytime: . ack 1 win 5840 <nop,nop,timestamp 51097217 138541011> (DF) 14:16:23.438150 host.name.deleted.1073 > other.host.name.daytime: R 1:1(0) ack 1 win 5840 <nop,nop,timestamp 51097217 138541011> (DF) Interesting ports on other.host.name (194.153.168.235): 14:16:23.448150 other.host.name.daytime > host.name.deleted.1073: P 1:27(26) ack 1 win 5792 <nop,nop,timestamp 138541012 51097217> (DF) 14:16:23.448150 host.name.deleted.1073 > other.host.name.daytime: R 2950063923:2950063923(0) win 0 (DF) 14:16:23.448150 other.host.name.daytime > host.name.deleted.1073: F 27:27(0) ack 1 win 5792 <nop,nop,timestamp 138541012 51097217> (DF) 14:16:23.448150 host.name.deleted.1073 > other.host.name.daytime: R 2950063923:2950063923(0) win 0 (DF)
------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- Help understanding a trace of an nmap scan Richard Moore (Sep 07)
- RE: Help understanding a trace of an nmap scan Omar Herrera (Sep 09)
- Re: Help understanding a trace of an nmap scan Jose Maria Lopez (Sep 10)
- <Possible follow-ups>
- Re: Help understanding a trace of an nmap scan Martin Wasson (Sep 08)