From zaks@pf39.warszawa.sdi.tpnet.pl  Tue Aug  1 06:14:14 2000
Return-Path: <zaks@pf39.warszawa.sdi.tpnet.pl>
Received: from pf39.warszawa.sdi.tpnet.pl (pf39.warszawa.sdi.tpnet.pl [213.25.209.39])
	by hub.freebsd.org (Postfix) with ESMTP id 683FB37B5C1
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  1 Aug 2000 06:13:41 -0700 (PDT)
	(envelope-from zaks@pf39.warszawa.sdi.tpnet.pl)
Received: (from root@localhost)
	by pf39.warszawa.sdi.tpnet.pl (8.9.3/8.9.3) id PAA04510;
	Tue, 1 Aug 2000 15:13:35 +0200 (CEST)
	(envelope-from zaks)
Message-Id: <200008011313.PAA04510@pf39.warszawa.sdi.tpnet.pl>
Date: Tue, 1 Aug 2000 15:13:35 +0200 (CEST)
From: zaks@prioris.mini.pw.edu.pl
Sender: zaks@pf39.warszawa.sdi.tpnet.pl
Reply-To: zaks@prioris.mini.pw.edu.pl
To: FreeBSD-gnats-submit@freebsd.org
Subject: Nmap doesn't report open ports in stealth scan mode
X-Send-Pr-Version: 3.2

>Number:         20342
>Category:       ports
>Synopsis:       Nmap doesn't report open ports in stealth scan mode
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    obrien
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 01 06:20:00 PDT 2000
>Closed-Date:    Sat Aug 26 17:28:30 PDT 2000
>Last-Modified:  Sat Aug 26 17:32:06 PDT 2000
>Originator:     Slawek Zak
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
	Warsaw University of Technology
>Environment:

	P-t-P interface (tun0) was used. Nmap version i 2.53 compiled
	from ports

>Description:

	Nmap doesn't seem to find remote ports open working in stealth
	mode. Ports are recognized as filtered.

>How-To-Repeat:

	[tun interface]

	pf39# nmap -sS -P0 -v -p25 prioris
	[..........]
	Port       State       Service
	25/tcp     filtered    smtp

	Nmap run completed -- 1 IP address (1 host up) scanned in 36
	seconds

	## Relevant tcpdump trace

	pf39.53713 > prioris.smtp: S 490700102:490700102(0) win 4096
	prioris.smtp > pf39.53713: S 1925646539:1925646539(0) ack \
		490700103 win 16384 <mss 1460> (DF)
	pf39.53713 > prioris.smtp: R 490700103:490700103(0) win 0
	pf39.53714 > prioris.smtp: S 1243791711:1243791711(0) win 4096
	prioris.smtp > pf39.53714: S 1926781491:1926781491(0) ack \
		1243791712 win 16384 <mss 1460> (DF)
	pf39.53714 > prioris.smtp: R 1243791712:1243791712(0) win 0
	pf39.53715 > prioris.smtp: S 2733700557:2733700557(0) win 4096
	pf39.53716 > prioris.smtp: S 490700102:490700102(0) win 4096
	prioris.smtp > pf39.53716: S 1929281189:1929281189(0) ack \
		490700103 win 16384 <mss 1460> (DF)
	pf39.53716 > prioris.smtp: R 490700103:490700103(0) win 0
	pf39.53717 > prioris.smtp: S 1243791711:1243791711(0) win 4096
	prioris.smtp > pf39.53717: S 1930419819:1930419819(0) ack \
		1243791712 win 16384 <mss 1460> (DF)
	pf39.53717 > prioris.smtp: R 1243791712:1243791712(0) win 0
	pf39.53718 > prioris.smtp: S 2733700557:2733700557(0) win 4096

	[Other host (3.5-STABLE), ethernet interface]

	prioris# nmap -sS -P0 -v -p25 alpha
	[..........]

	Port       State       Service
	25/tcp     open        smtp

	Nmap run completed -- 1 IP address (1 host up) scanned in 0
	seconds

>Fix:

	Probably problem lays in the some tun interface implementation
	bug. The same version of nmap on FreeBSD 3.5-STABLE, using fxp
	ethernet interface works fine.


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports->obrien 
Responsible-Changed-By: jedgar 
Responsible-Changed-When: Wed Aug 2 17:19:05 PDT 2000 
Responsible-Changed-Why:  
Over to maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20342 

From: Kris Kennaway <kris@FreeBSD.org>
To: zaks@prioris.mini.pw.edu.pl
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: ports/20342: Nmap doesn't report open ports in stealth scan mode
Date: Wed, 9 Aug 2000 21:19:29 -0700 (PDT)

 On Tue, 1 Aug 2000 zaks@prioris.mini.pw.edu.pl wrote:
 
 > 
 > >Number:         20342
 > >Category:       ports
 > >Synopsis:       Nmap doesn't report open ports in stealth scan mode
 > >Confidential:   no
 > >Severity:       non-critical
 > >Priority:       low
 > >Responsible:    freebsd-ports
 > >State:          open
 > >Quarter:        
 > >Keywords:       
 > >Date-Required:
 > >Class:          sw-bug
 > >Submitter-Id:   current-users
 > >Arrival-Date:   Tue Aug 01 06:20:00 PDT 2000
 > >Closed-Date:
 > >Last-Modified:
 > >Originator:     Slawek Zak
 > >Release:        FreeBSD 5.0-CURRENT i386
 > >Organization:
 > 	Warsaw University of Technology
 > >Environment:
 > 
 > 	P-t-P interface (tun0) was used. Nmap version i 2.53 compiled
 > 	from ports
 > 
 > >Description:
 > 
 > 	Nmap doesn't seem to find remote ports open working in stealth
 > 	mode. Ports are recognized as filtered.
 
 I believe this indicates that the remote system is sending an ICMP "Port
 unreachable" error message, i.e. the remote system is firewalled. Do you
 have evidence that other operating systems behave differently when
 scanning the same host?
 
 Kris
 
 --
 In God we Trust -- all others must submit an X.509 certificate.
     -- Charles Forsythe <forsythe@alum.mit.edu>
 
 

From: Slawek Zak <zaks@prioris.mini.pw.edu.pl>
To: freebsd-gnats-submit@FreeBSD.org, zaks@prioris.mini.pw.edu.pl
Cc:  
Subject: Re: ports/20342: Nmap doesn't report open ports in stealth scan mode
Date: 16 Aug 2000 18:29:03 +0200

 Hmm. I'm pretty sure now that the problem is caused by exactly the
 same problem because of which tcpdump doesn't show incoming packets on
 tun interface.
 
 Nmap doesn't establish full TCP connection, so it has to 'sniff' for
 packets matching specific pattern. It doesn't receive them exactly
 like tcpdump with non-empty filter. Moreover, when tcp.blackhole is
 turned on, you see connection attempts to ports used by nmap.
 
 
State-Changed-From-To: open->closed 
State-Changed-By: obrien 
State-Changed-When: Sat Aug 26 17:28:30 PDT 2000 
State-Changed-Why:  
This is either an Nmap problem (contact the Nmap author), or a FreeBSD 
`tun' device problem.  In that case a PR should be submitted against the 
`tun' device, not the Nmap port. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20342 
>Unformatted:
