2006-12-27 02:03:59

by Jan Engelhardt

Subject: linux tcp stack behavior change

Hello list,


I have been noticing that running nmap -sF on oneself does not generate
a reply from the TCP stack on 2.6.18(.5). In other words:

# tcpdump -ni lo &
[1] 32376
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
# nmap localhost -n -sX -p 22
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-27 02:59 CET
02:59:54.199763 IP 127.0.0.1.44431 > 127.0.0.1.22: FP 2987942575:2987942575(0) win 3072 urg 0

and it just sits there. By chance, I found that passing FIN,ACK gives
the desired effect

# nmap localhost -n -sX -p 22 --scanflags FIN,ACK
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-27 03:01 CET
03:01:28.847871 IP 127.0.0.1.34140 > 127.0.0.1.22: F 935914709:935914709(0) ack 1975786655 win 4096
03:01:28.847943 IP 127.0.0.1.22 > 127.0.0.1.34140: R 1975786655:1975786655(0) win 0
Interesting ports on 127.0.0.1:
PORT STATE SERVICE
22/tcp closed ssh
Nmap finished: 1 IP address (1 host up) scanned in 0.071 seconds

However, I know that plain -sF worked with previous kernels. Using
nmap-4.00 on 2.6.18.5 yields the same result, so I do not think it is
caused by a change in nmap code. Could someone with 2.6.13-2.6.17 verify
that the TCP stack returned a RST? Or perhaps someone else actually
knows there was a change in the linux kernel to cause the now-observed
behavior.


Thanks,
Jan
--

2006-12-27 02:41:42

by Askadar

Subject: RE: linux tcp stack behavior change

> However, I know that plain -sF worked with previous kernels. Using
> nmap-4.00 on 2.6.18.5 yields the same result, so I do not think it is
> caused by a change in nmap code. Could someone with 2.6.13-2.6.17 verify
> that the TCP stack returned a RST?

Works for me on 2.6.18.3:

[root@DS-12 bb]# tcpdump -ni lo &
[root@DS-12 bb]# nmap localhost -n -sX -p 22

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-26 21:26 EST
21:26:09.217187 IP 127.0.0.1.46872 > 127.0.0.1.22: FP 4139391634:4139391634(0)
win 1024 urg 0
21:26:09.217355 IP 127.0.0.1.22 > 127.0.0.1.46872: R 0:0(0) ack 4139391635 win
0
Interesting ports on 127.0.0.1:
PORT STATE SERVICE
22/tcp closed ssh

[root@DS-12 bb]# uname -a
Linux DS-12 2.6.18-ARCH #1 SMP PREEMPT Sun Nov 19 09:14:35 CET 2006 i686
Intel(R) Pentium(R) 4 Mobile CPU 1.80GHz GenuineIntel GNU/Linux

[root@DS-12 bb]# pacman -Q kernel26
kernel26 2.6.18.3-1

- Björn

2006-12-27 19:35:17

by Jan Engelhardt

Subject: Re: linux tcp stack behavior change

On Dec 27 2006 03:03, Jan Engelhardt wrote:
>
>I have been noticing that running nmap -sF on oneself does not generate
>a reply from the TCP stack on 2.6.18(.5). In other words:
[...]

Alright same behavior on 2.6.13 and nmap 3.81, so the problem is
somewhere on my side having misdocumented something back then.


-`J'
--