Re: RST's and ACK's and stealth scans

HSKarim (HSKarimaol.com)
Fri, 8 May 1998 17:26:01 EDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Chad Schieken: "Re: Java Sockets and Firewalls"
• Previous message: dharriskcp.com: "Re: Blitzkrieg Server -- For Real?!"
• Maybe in reply to: aragerMcGraw-Hill.com: "Blitzkrieg Server -- For Real?!"
• Next in thread: Franz, Matt: "RE: RST's and ACK's and stealth scans"

Matt...
Thanks... I haven't used nmap yet but according to your tcpdump output... it
appears that RST's should accompany ACK's... but I'm running BSDi 3.0 with TIS
Gauntlet patches.... I'm seeing some traffic without the ACK bit set. A
company that is performing intrusion tests on my network is saying that the
fact that the packet was sent back with an RST & ACK means that a service was
available but it had some kind of filter on it. I disagreed, because I know
that nothing was running except one port. But I performed a TCPdump while he
scanned with a modified nmap and I saw the RST's going back with and without
the ACK bit set.

It wasn't really consistent either.

Peace
-Hassan Karim

In a message dated 98-05-08 10:37:45 EDT, you write:

<< If this helps, here's the logs from tcpdump for a normal (full connect)
 tcp scan, syn, and fin scan. Fyodor's nmap was used for all the scans.
 All scans were conducted from 192.168.0.2 against 192.168.0.3 (both
 running Linux 2.0.33) >>

• Next message: Chad Schieken: "Re: Java Sockets and Firewalls"
• Previous message: dharriskcp.com: "Re: Blitzkrieg Server -- For Real?!"
• Maybe in reply to: aragerMcGraw-Hill.com: "Blitzkrieg Server -- For Real?!"
• Next in thread: Franz, Matt: "RE: RST's and ACK's and stealth scans"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:54 CDT