Re: Nmap/netwag problem.

From: Rogan Dawes (discard@dawes.za.net)
Date: Thu Aug 11 2005 - 02:09:05 EDT

• Next message: Ory Segal: "RE: Application Assessment"
• Previous message: Jack: "Re: [Fwd: Re: Nmap/netwag problem.]"
• In reply to: Pete Herzog: "Re: Nmap/netwag problem."
• Next in thread: Pete Herzog: "Re: Nmap/netwag problem."
• Reply: Pete Herzog: "Re: Nmap/netwag problem."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Pete Herzog wrote:
> Kaj,
>
>
>>Anyway. a 'full connect' scan (one that performs the complete three-way
>>handshake will _always_ (?) be the most reliable.
>>My sugeestion is to perform either a nmap connect scan on the ports from
>>both results or to manually telnet to the ports and see the response.
>
>
> I have to disagree with you here. A full connect scan is not the most
> reliable. There are many security defensive processes now which require
> proper protocol queries to provide a response- I see this very often
> with web ports. If you send anything other than a http request, you
> will not see a service behind the web port.

Excuse me? Are you suggesting that if I send a Syn to port 80, and don't
get a Syn/Ack back, I should just go ahead and send a "GET / HTTP/1.0",
in case there is some kind of application level firewall that will only
pass my original Syn if it sees a valid HTTP request following it?

Sounds like someone is redefining TCP, to me!

I can't imagine any TCP/IP implementation (bar Microsoft, of course!)
that would be so braindead, and would actually do anything further if
the Syn/Ack was never received.

At the very least, once the full TCP connect scan has identified that
there IS a service running on a particular port, you can then try to
identify the service by prodding it with various protocols, and seeing
which respond. I certainly agree with your statement that many services
do not respond with layer 4 (?) protocol data, if the input is not
well-formed.

But the original statement was with regards to identifying that a (ANY)
service is actually listening on a particular port. And I tend to agree
that a full connect scan is more reliable than a Syn scan.

Regards,

Rogan

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------

• Next message: Ory Segal: "RE: Application Assessment"
• Previous message: Jack: "Re: [Fwd: Re: Nmap/netwag problem.]"
• In reply to: Pete Herzog: "Re: Nmap/netwag problem."
• Next in thread: Pete Herzog: "Re: Nmap/netwag problem."
• Reply: Pete Herzog: "Re: Nmap/netwag problem."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:44 EDT