- 论坛徽章:
- 0
|
a question about idle scan
the follow code is from nmap 3.81
- /* TH_SYN|TH_ACK is what the proxy will really be receiving from
- the target, and is more likely to get through firewalls. But
- TH_SYN allows us to get a nonzero ACK back so we can associate
- a response with the exact request for timing purposes. So I
- think I'll use TH_SYN, although it is a tough call. */
- /* We can't use decoys 'cause that would screw up the IPIDs */
- send_tcp_raw(proxy->;rawsd, proxy->;host.v4sourceip(),
- proxy->;host.v4hostip(), o.ttl,
- o.magic_port + probes_sent + 1, proxy->;probe_port,
- sequence_base + probes_sent + 1, 0, TH_SYN|TH_ACK,
- ack, NULL, 0, NULL, 0);
复制代码
- /* OK, through experimentation I have found that some hosts *cough*
- Solaris APPEAR to use simple IPID incrementing, but in reality they
- assign a new IPID base to each host which connects with them. This
- is actually a good idea on several fronts, but it totally
- frustrates our efforts (which rely on side-channel IPID info
- leaking to different hosts). The good news is that we can easily
- detect the problem by sending some spoofed packets "from" the first
- target to the zombie and then probing to verify that the proxy IPID
- changed. This will also catch the case where the Nmap user is
- behind an egress filter or other measure that prevents this sort of
- sp00fery */
- if (first_target) {
- for (probes_sent = 0; probes_sent < 4; probes_sent++) {
- if (probes_sent) usleep(50000);
- send_tcp_raw(proxy->;rawsd, first_target, proxy->;host.v4hostip(),
- o.ttl, o.magic_port, proxy->;probe_port,
- sequence_base + probes_sent + 1, 0, TH_SYN|TH_ACK,
- ack, NULL, 0, NULL, 0);
- }
复制代码
both use SYN|ACK ,but in reality tcpdump get no ack
this is for zombie's ipid
202.4.147.188.604 82 >; zombie.80: S [tcp sum ok] 569687024:569687024(0) ack 0 win 44661
this is for the second part of the code
04:07:15.924296 IP (tos 0x0, ttl 48, id 19443, offset 0, flags [none], length: 40) target.60481 >; zombie: S [tcp sum ok] 569687024:569687024(0) ack 0 win 44661
is this a bug? |
|