RE: Nmap/netwag problem.

From: ankush.kapoor@wipro.com
Date: Fri Aug 12 2005 - 07:52:36 EDT

• Next message: houseofdabus: "(MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow (Universal Exploit + no crash shellcode)"
• Previous message: gcehrh@hotmail.com: "Re: Re: AD password Auditing"
• Maybe in reply to: Aleph One: "Nmap/netwag problem."
• Next in thread: ilaiy: "Re: Nmap/netwag problem."
• Reply: ilaiy: "Re: Nmap/netwag problem."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hping is a pretty good tool. If you seriously feel that the port is
being filtered at a firewall, give firewalk a shot. The paper explaining
it is also very informative ;)

Ankush

-----Original Message-----
From: Paul J Docherty [mailto:PJD@portcullis-security.com]
Sent: Thursday, August 11, 2005 8:38 PM
To: Pete Herzog; Kaj Huisman
Cc: Aleph One; pen-test@securityfocus.com; Security-Basics
Subject: RE: Nmap/netwag problem.

Whilst the points you are making are correct once you have discovered
open ports, I think you have raced ahead of the question, which was I
think, "which port scanner is giving the correct results?" As many
others have elegantly answered use a packet sniffer and look at the raw
data to see what's going on. You have raced ahead and are bordering
service discovery rather than port status, as we know there can be any
number of filtering devices between the two ends, however, within TCP,
which is what we are talking about here, an open port will respond to a
syn with a syn/ack.

As for scan methods, I tend to use both syn and full (where time
permits) if time is not the key, I prefer to syn scan first then TCP
Connect.

With regards answering the questions you could, if you are not happy
with the sniffer options use something like hping2(3) and watch the
flags ie

Hping2 -n -V -S -p (port no.) IP_address

Paul.

Confidentiality Notice

The information contained in this electronic message and any attachments to this message are intended
for the exclusive use of the addressee(s) and may contain confidential or privileged information. If
you are not the intended recipient, please notify the sender at Wipro or Mailadmin@wipro.com immediately
and destroy all copies of this message and any attachments.

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------

• Next message: houseofdabus: "(MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow (Universal Exploit + no crash shellcode)"
• Previous message: gcehrh@hotmail.com: "Re: Re: AD password Auditing"
• Maybe in reply to: Aleph One: "Nmap/netwag problem."
• Next in thread: ilaiy: "Re: Nmap/netwag problem."
• Reply: ilaiy: "Re: Nmap/netwag problem."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:44 EDT