Port Scanning (Status of Ports)
Here are some ideas I came up with for the port states in Nmap. These are just
ideas I haven't finished some of the port states because I'm not sure how to
make the checks.
TCP Ports
------------
Open - SYN ACK reply from the remote host, reply came back with the same field values
Closed - RST ACK reply from the remote host, reply came back with the same field values
Filtered - No reply, packet was dropped
Firewalled - Reply came back from packet normalization device, reply came back with altered values
UDP Ports
------------
Open - No reply ?
Closed - ICMP Destination Unreachable (Port Unreachable) reply from the remote host, reply came back with the same field values
Filtered - No reply ?
Firewalled - Reply came back from packet normalization device, reply came back with altered values
Here's some information relating to the firewalled port status. These are
two main groups of network devices that can alter packet field values.
- packet normalization devices: OpenBSD pf, anti-fingerprinting devices,
and newer CheckPoint devices
- routers (hardware and software): routers that interface between two
networks with different MTU's and force performance settings, hardware
DSL routers do this; Linux and *BSD can alter MSS settings as well
I've been trying to figure out which field values the sender has control over,
so that I can determine if a packet-altering network device has modified some
field values in a packet I've sent. Here is what I've come up with thus far.
TCP packets
--------------
IP - Source IP Address
IP - Destination IP Address
TCP - Source Port Number
TCP - Destination Port Number
TCP - Sequence Number
UDP packets
--------------
IP - Source IP Address
IP - Destination IP Address
UDP - Source Port Number
UDP - Destination Port Number
Email me if you have any ideas along these lines.
|