Nmap null scans - help needed

[Dalobo]

I have just finished the AIO CEH book and am working with some of the tools and scans mentioned in the book.

In the book, it is mentioned that an Nmap Null scan (-sN) does not work on Windows, because it does not conform to an RFC. Yet it says that Linux does conform to this RFC and therefor a Null scan will work on Linux.

To test this I fired up a Windows XP and 2003 VM, and metasploitable. I then started Wireshark and did a Null scan on each one.

A Null scan is not supposed to return a reset packet when the port is open, and it will return one when a port is closed.  This should tell you what ports are open. The book says this scan will not work with Windows and that it was designed for Linux boxes.  No matter what OS I scan, RST packets ARE returned. Also, no ports are shown as open on any box, even when there ARE open ports.

Here is an output sample of a Linux box:
All 1000 scanned ports on Dalobo's-PC (192.168.56.41) are open|filtered

Am I misunderstanding something here? Shouldn't the Windows box not return any RST packets thus showing all ports as open?  Why does the linux box not show any open ports? Why is Windows sending RST packets?

Any help would be greatly appreciated.

[Dark_Knight]

Not all systems follow RFC 793 to the letter. A number of them send RST regardless of whether the port is open or not. The result is all ports are labeled as being closed. Some OS that do this are Windows, Cisco devices and IBM OS/400.

For further details check here:http://nmap.org/book/man-port-scanning-techniques.html

[Dalobo]

But Windows is sending RST packets and listing all ports as open.  That is where I am confused.

I am reading that link now...

Thanks,

Dalobo

[Dalobo]

These three scan types are exactly the same in behavior except for the TCP flags set in probe packets. If a RST packet is received, the port is considered closed, while no response means it is open|filtered. The port is marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received.

I am getting an open | filtered while getting RST packets. Hence the confusion.

This scan does work against most Unix-based systems though. Another downside of these scans is that they can't distinguish open ports from certain filtered ones, leaving you with the response open|filtered. <-- is this what I am seeing? But some of the ports are open...

Thank you,

Dalobo

[Dark_Knight]

Initially you said they were all closed and that you were receiving RST packets not so?

[Dalobo]

No matter what OS I scan, RST packets ARE returned. Also, no ports are shown as open on any box, even when there ARE open ports.
/quote]

Windows:
I have all the normal Windows ports open as well as 80 on the server.
When I do the Null scan, Windows sends RST packets, but I get the open | filtered output, but no ports listed as open.

Linux:
I have a ton of ports open (metasploitable) but I get a  al 100 ports open | filtered response and no ports listed as open individually.

Here is an output sample of a Linux box:
All 1000 scanned ports on Dalobo's-PC (192.168.56.41) are open|filtered

I was using this page as reference:
http://www.networkuptime.com/nmap/page3-6.shtml

[Dark_Knight]

Keep in mind that open|filtered means no response received(even after retransmissions)

I just scanned(NULL scan) my XP SP3 machine I receive all ports closed. How are you running nmap?

[Dalobo]

When I scan my router, it works correctly.  Turning telnet on and then doing a Null scan illicit no RST packet. That means it is open, and it does show up as open.

PORT     STATE SERVICE
23/tcp   open  telnet

So Windows should always show open | filtered or "All open" -> Hence the does not work with Windows

The Linux that is running in Metasploitable is Ubuntu i think. Ubuntu must do the same thing as Windows.  The Linux on my router must work the "normal way" and that is why telnet shows up. (Along with a few others.)

Am I thinking correctly now?

Thank you,

Dalobo

[Dark_Knight]

The behavior I see on my end is consistent with the RFC. I have ports 139,135,445 open. When I perform a NULL scan against XP SP 3, nmap labels all ports as closed and does send back an RST.

 I am receiving open|filtered.