Not All SYN Packets Are Created Equal
By Daniel Miessler on May 18th, 2006: Tagged as Information Security | Security
During a recent assessment I noticed that I was getting back (or, not getting back, as it were) a filtered response to nmap and hping SYN scans. That’s normal enough for sites that drop incoming scan traffic, but the weird part was that if I used a standard connect scan, i.e. one that completes the three-way-handshake, I would get back a ton of open ports on the same host.
So if I did a “regular” scan, I’d send a SYN, get back a SYN-ACK, and then respond with an ACK. Fair enough, but if I sent just the SYN from nmap or tcpdump, the host would not respond at all. Well, after a couple of minutes of head-scratching, logic revealed the path to the truth:
--
Good explanation, very informative.
Comment by David — 5/18/2006 @ 4:17 pm
quite helpful, actually explains a few things i have been wondering about recently using nmap (and was too lazy to invesitgate)…Thanks Daniel
Comment by Michael S Black — 5/19/2006 @ 10:20 am
Syn Packets…
Daniel has uncovered something that I have suspected for some time now. It appears that when you use nmap’s syn scan that it is very different from a syn initiated by your operating system. If you are interested in packets and security you need to ha…
Trackback by /dev/infosec_samurai — 5/23/2006 @ 11:17 am