0

i'm just observing what NMAP is doing for the 3 ports it reports are open.

I understand what a half-scan attack is, but what's happening doesnt make sense.

NMAP is reporting ports 139 are 445 are open..... all fine.

But when i look at the control bits, NMAP never sends RST once it has found out the port is open, It does this for port 135- but not 139 and 445. This is what happens:

(I HAVE OMITTED THE victim's replies)

Sends a 2 (SYN)

Sends a 16 (ACK)

Sends a 24 (ACK + PST)

Sends a 16 (ACK)

Sends a 17 (ACK + FIN)

I dont get why NMAP doesnt 'RST' ports 139 and 445??

  • This is more of a question for one of stackoverflow sister sites, not stackoverflow itself as this isn't programming related. –  Jun 09 '10 at 19:47
  • Oh sorry, could you recommend a site? –  Jun 09 '10 at 19:50

1 Answers1

2

There's no need to send a RST. The FIN is sufficient to close down the connection; RST is usually only used when an error occurs. I suspect nmap sends the RST in the other cases because sometimes it can provoke a response in buggy TCP stacks even where where the SYN is filtered; if it's succeeding in opening the connection then it already knows the port is open...

psmears
  • 340
  • 1
  • 6
  • +1 Looked up one of your answers via profile to vote up, because I was stuck with one of your edits in EE.SE and had to refuse. And, of course, this is a good answer anyway :-) – Andreas Nov 28 '16 at 16:28