Professional Documents
Culture Documents
David Morgan
1
3-way handshake
connection establishment’s signature sequence
client sends packet with SYN bit set
server returns packet with SYN & ACK set
client sends packet with ACK set
TCP Header
URG = urgent
ACK= acknowledgement
PSH = push
RST = reset
SYN = synchronize
FIN = finish
2
3-way handshake succeeds…
host1 host2
SYN=1
Time SYN=1
, ACK=1
ACK=1
3 port dispositions
it’s open
or it’s closed.
3
Test of ports that are open
send probe packet with SYN bit set
packet with SYN & ACK comes back
SYN=1
Time
, ACK=1
SYN=1
ACK=1
4
Send something else instead…
host1 host2
SYN=1
Time SYN=1
, ACK=1
RST=1
5
3-way handshake fails…
host1 host2
SYN=1
Time ACK=1
RST=1,
6
nmap -sT 192.168.3.3 -p 24-25
Client Server
7
nmap -sT 192.168.3.3 -p 24-25
Client Server
8
nmap -sT 192.168.3.3 -p 24-25
Client Server
Never mind
RST and ACK
flags set
Client Server
9
nmap -sT 192.168.3.3 -p 24-25
10
What do the variants do?
-sS replies RST instead of ACK
-sF sets FIN in initial packet
-sX sets FIN, URG, PSH
-sN sets no flags in initial packet
-sP pings
-sU sends UDP packet
others
OS fingerprinting
11
Output of interest
nmap’s log (-oN <filename>)
a concurrent packet capture
each gives different info/perspective
– packet capture is fundamental/authoritative
– log is interpretive
Protocol deviations
linux box
24 is closed
25 is open
windows box
24 is closed ??
25 is open
12
Protocol deviations
The idea is that closed ports are required to reply to your probe
packet with an RST, while open ports must ignore the packets in
question (see RFC 793 pp 64). ...Unfortunately Microsoft (like
usual) decided to completely ignore the standard and do things
their own way. ...If the scan finds open ports, you know the machine
is not a Windows box. If a -sF,-sX,or -sN scan shows all ports
closed, yet a SYN (-sS) scan shows ports being opened, you are
probably looking at a Windows box. This is less useful now that
nmap has proper OS detection built in. There are also a few
other systems that are broken in the same way Windows is. They
include Cisco, BSDI, HP/UX, MVS, and IRIX. All of the above
send resets from the open ports when they should just drop the packet.
13