|
-
July 4th, 2005, 05:23 AM
#1
nmap oddity
Can someone explain to me how the -T parameter makes any difference when scanning one port? In this case, -T1 reveals a port where -T5 doesn't.
C:\Documents and Settings\soda>nmap xxxxxx -P0 -T1 -p 4531
Starting nmap 3.81 ( http://www.insecure.org/nmap ) at 2005-07-04 11:13 Central
Daylight Time
Interesting ports on xxxx (xxxx):
PORT STATE SERVICE
4531/tcp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 15.875 seconds
C:\Documents and Settings\soda>nmap xxxxxx -P0 -T5 -p 4531
Starting nmap 3.81 ( http://www.insecure.org/nmap ) at 2005-07-04 11:13 Central
Daylight Time
Interesting ports on xxxxxx (xxxxx):
PORT STATE SERVICE
4531/tcp filtered unknown
Nmap finished: 1 IP address (1 host up) scanned in 0.953 seconds
C:\Documents and Settings\soda>
I'm scanning an Astaro distro, IPtables firewall I believe. The open port is a webadmin interface. I've always believed the -T option spread the scan over a period of time. The SYN should be a single packet, it wouldn't really be changed in any way by -T, right? The rate of SYN's being sent out should be changed, which is what I thought (making this confusing)
15 seconds versus .9 seconds to send out one packet makes a difference?
-
July 4th, 2005, 05:47 AM
#2
So I'm sniffing it out, and the main difference is that -T1 sends a single SYN, which is returned by SYN/ACK and responded to by RST.
-T5 Sent out 2 SYN's to that port immediately, both were followed up with SYN/ACKs (open), yet nmap says they're filtered.
I'm trying this against other ports/boxes but I'm not getting the same results. I'm just confused, that's all.
-
July 4th, 2005, 11:00 AM
#3
Sounds like a bug to me. You might want to skim the nmap users stuff and see if it has been mentioned and then report it if it hasn't. Any returning SYN/ACK should trigger an open result.
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
July 4th, 2005, 11:15 AM
#4
Hi all,
i checked the both commands but they are working fine for me.
[root@testm]# nmap -P0 xxx.xxx.xxx.xxx -T1 -p 5555
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-04 15:09 Central
Interesting ports on xxx (xxx.xxx.xxx.xxx):
PORT STATE SERVICE
5555/tcp open squid-http
Nmap finished: 1 IP address (1 host up) scanned in 15.518 seconds
[root@testm]# nmap -P0 xxx.xxx.xxx.xxx -T5 -p 5555
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-04 15:10 Central
Interesting ports on xxx (xxx.xxx.xxx.xxx):
PORT STATE SERVICE
5555/tcp open squid-http
Nmap finished: 1 IP address (1 host up) scanned in 0.447 seconds
Excuse me, is there an airport nearby large enough for a private jet to land?
-
July 4th, 2005, 12:37 PM
#5
First off: I know nothing about IPTables 
Perhaps this is some sort of anti-DoS setting? A couple of SYNs in a short period might trigger some delay.. This delay could be enough for nmap to think the port is filtered?
Oliver's Law:
Experience is something you don't get until just after you need it.
-
July 4th, 2005, 01:47 PM
#6
Originally posted here by SirDice
First off: I know nothing about IPTables
Perhaps this is some sort of anti-DoS setting? A couple of SYNs in a short period might trigger some delay.. This delay could be enough for nmap to think the port is filtered?
syncookies perhaps?
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
July 4th, 2005, 03:50 PM
#7
Originally posted here by cacosapo
syncookies perhaps?
That might actualy be it !!
I'll check some out tonight..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
July 4th, 2005, 06:07 PM
#8
I've tried this on many other systems and ports without the same behavior. It's really looking like just a bug to me. Any more ideas on what could have set it off?
On -T5, it took 1.4 seconds (does the time column in ethereal represent seconds?) for the first syn/ack to respond to the first syn, 1.2 for the second syn/ack.
On -T1 it took .7 seconds to respond to it. I think the double SYN's from -T5 may have made it delay, possibly syncookies or some other TCP stack protection delayed it enough where nmap couldn't read it?
Does the -T5 option send out multiple syn's per port for you too? Is that normal and expected?
-
July 4th, 2005, 06:26 PM
#9
From the man page
Insane is
only suitable for very fast networks or where you
don't mind losing some information. It times out
hosts in 75 seconds and only waits 0.3 seconds for
individual probes. It does allow for very quick
network sweeps though  .
T5==insane
I came in to the world with nothing. I still have most of it.
-
July 4th, 2005, 06:38 PM
#10
where you don’t mind losing some information
That would explain the miss, but why does it send two SYN's? Shouldn't that slow down the scan (defeating the purpose)? It looks like that setting sending two packets instead of 1 is the only reason -T5 didn't pick it up. Which is bad, unless there's a reason for it sending two SYN's at once.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
