Re: RST's and ACK's and stealth scans

From: HSKarim (HSKarimat_private)
Date: Fri May 08 1998 - 14:26:01 PDT

  • Next message: dharrisat_private: "Re: Blitzkrieg Server -- For Real?!"

    Thanks... I haven't used nmap yet but according to your tcpdump output... it
    appears that RST's should accompany ACK's... but I'm running BSDi 3.0 with TIS
    Gauntlet patches.... I'm seeing some traffic without the ACK bit set. A
    company that is performing intrusion tests on my network is saying that the
    fact that the packet was sent back with an RST & ACK means that a service was
    available but it had some kind of filter on it. I disagreed, because I know
    that nothing was running except one port. But I performed a TCPdump while he
    scanned with a modified nmap and I saw the RST's going back with and without
    the ACK bit set.
    It wasn't really consistent either.
    -Hassan Karim
    In a message dated 98-05-08 10:37:45 EDT, you write:
    << If this helps, here's the logs from tcpdump for a normal (full connect)
     tcp scan, syn, and fin scan. Fyodor's nmap was used for all the scans.
     All scans were conducted from against (both
     running Linux 2.0.33) >>

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:49 PDT