From: Paul J Docherty (PJD@portcullis-security.com)
Date: Thu Aug 11 2005 - 11:07:41 EDT
Whilst the points you are making are correct once you have discovered
open ports, I think you have raced ahead of the question, which was I
think, "which port scanner is giving the correct results?" As many
others have elegantly answered use a packet sniffer and look at the raw
data to see what's going on. You have raced ahead and are bordering
service discovery rather than port status, as we know there can be any
number of filtering devices between the two ends, however, within TCP,
which is what we are talking about here, an open port will respond to a
syn with a syn/ack.
As for scan methods, I tend to use both syn and full (where time
permits) if time is not the key, I prefer to syn scan first then TCP
Connect.
With regards answering the questions you could, if you are not happy
with the sniffer options use something like hping2(3) and watch the
flags ie
Hping2 -n -V -S -p (port no.) IP_address
Paul.
-----Original Message-----
From: Pete Herzog [mailto:lists@isecom.org]
Sent: Wednesday, August 10, 2005 8:10 PM
To: Kaj Huisman
Cc: Aleph One; pen-test@securityfocus.com; Security-Basics
Subject: Re: Nmap/netwag problem.
Kaj,
> Anyway. a 'full connect' scan (one that performs the complete
three-way
> handshake will _always_ (?) be the most reliable.
> My sugeestion is to perform either a nmap connect scan on the ports
from
> both results or to manually telnet to the ports and see the response.
The best method for scanning is always to verify responses of a service
behind the ports by using the proper protocol. Barring that, verify the
types of packets which return, the consistency of their return, delays
in return, and the TTLs. But using telnet to visit a non-telnet port is
no longer a reliable method.
*************************************************************
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and do not
represent the opinion of the organisation.
Access to this email by persons other than the intended
recipient is strictly prohibited.
If you are not the intended recipient, any disclosure, copying,
distribution or other action taken or omitted to be taken in
reliance on it, is prohibited and may be unlawful.
When addressed to our clients any opinions or advice contained
in this email is subject to the terms and conditions expressed
in the applicable Portcullis Computer Security Limited terms
of business.
**************************************************************
------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:
http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:44 EDT