June 23rd, 2002, 02:32 PM
I am just starting to learn nmap. The documentation talks
about SYN|ACK's and RST's, etc. is there a way to open up a
command line and use these commands like ftp
or like telneting to a mail server?
What tool would you use for that?
Where is a good place to find those commands?
Is this a useful place to be concentrating studies?
June 23rd, 2002, 02:39 PM
SYN ACK and RST are different flags on a TCP packet.
You can't use them directly from the command line (it would not be useful because there are a lot of parameters and most sequences have a timeout), but there are programs which can generate arbritary packets from the command line - which may be useful when testing particular OS TCP properties under "laboratory" conditions (but very tedious if you want to "scan" and check if your machines are vulnerable or test firewalls)
Protocols like telnet and ftp run at a higher layer than TCP flags and they are invisible to them (if implemented correctly)
Programs like nmap may use the flags in sequences and/or combinations other than those documented in the relevant RFCs in a an attempt to stealthily acquire information about the remote machine (Open ports, OS etc)
June 26th, 2002, 07:30 AM
> What tool would you use for that?
If you want to send test packets you can use tool 48 of
lcrzoex. Then by sniffing with tool 295, you 'll see
> Is this a useful place to be concentrating studies?
I think the best way to learn is to practice.
I suggest you to read :
and to test every tool of lcrzoex.
Like this, you'll learn :
- tcp/udp clients/servers
Lcrzoex is at :
June 26th, 2002, 08:01 AM
Most of those things are automated for a reason, and like was said before, those are tcp flags so they are attached to the tcp packet. You may want to write tcp packets, which is something that you may need raw socket support to accomplish.
June 26th, 2002, 03:45 PM
These are all flags that are used in the establishment, conversation, and termination of a TCP connection. The key point is that when a TCP connection is established, you typically have a three way handshake. If you have two computers, A and B, a TCP connection starts by A saying HEY (SYN Flag) to B, B then replies by saying HEY to A (SYN) and I HEAR YOU (ACK) (SYN-ACK), then A completes the connection by telling B I HEAR YOU (ACK).
The last piece to the puzzle is that every machine has a sequence number that it will associate with a connection to keep track of the order of arrival of packets. So when A sends the first SYN it sends a SYN + (its sequence number), when B responses HEY to A (it sends a SYN + its sequence number) and I HEAR YOU (it sends an ACK of A's sequence number+1) (SYN B sequence number & ACK (A's sequence number + 1), A responds with ACK B's sequence number +1). The sequence number + 1 is a way of telling the other machine that I heard that packet, send me the next one.
Oops, post cut short..
If i is A's sequence number, and j is B's sequence number
A syn i ------------> B
B syn j + ack i+1 --> A
A ack j + 1 ----------> B
There are of course other flags. FIN is very similar to a SYN, but it ends a connection rather than starts it. RST is a RESET, for example, lets say that A tries to telnet to B but B doesn't have telnet listening. It stops the connection from A by sending a RST back.
Hope that helps...
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
June 26th, 2002, 04:09 PM
further reading in terms of finding information about a remote machine OS by exploiting its lack of RFC compliance can be found on fyodors website. fydor wrote nmap which lets face it is one of the better tools for this sort of operation and has been ported from *nix to NT/2000 by those nice folks at eEye Digital Security for those who need it in that flavour
OS fingerprinting article http://www.insecure.org/nmap/nmap-fi...g-article.html
NT version http://www.eeye.com/html/Research/Tools/nmapnt.html