[Carolyn Meinel wrote this "press release" and had it posted to www.infowar.com ..
Below that is Fyodor's response showing she doesn't have the first clue. Below
that is a bit more followup.]
8/16/98
Hackers are singing the praises of Fyodor's Nmap port scanner.
Report on Nmap for Infowar.com
Hackers are singing the praises of Fyodor's Nmap port scanner. In
particular, many of them have been excited by its half-open (stealth)
mode. Well, here's a dissenting consumer report.
1) Nmap is inaccurate in fin scan (stealth or half-open) mode. It
sends to each port on the victim computer a single packet with the fin
flag set. If it gets back a packet with the rst flag set, it reports
the port as closed. If it doesn't get rst back, it reports it as open.
Of course a dropped packet can also account for the missing rst. As a
result, on a noisy connection it shows many ports as open that aren't.
Try fin scanning a nonexistent host and you will see all ports
reported open. On a theoretical basis, any scanner that sends only a
single packet to probe each port is vulnerable to false results.
However, it is a simple thought experiment to conceive of a half-open
port scanner whose probability of accuracy approaches arbitrarily
close to 1.
2) Half-open port scans are only stealthy against a naive sysadmin. We
tried it out with EtherPeek 3.5 on a Mac G3 listening. EtherPeek not
only detected the fin scan; it also displayed the originating IP
address. On a theoretical basis, the half-open connection technique is
impossible to make stealthy. The attacker must get back data from the
victim computer. This means a valid IP address must be shown in the
packets with which it probes, and that the attacker must at some point
access the host computer belonging to that valid IP address to get
Nmap's results.
Thanks to BOFH, Wizard, Vasendek, Apple Computer and AG Group
(http://www.aggroup.com, creator of EtherPeek) for working together in
the experiments whose results are presented here. And, yes, we expect
the Happy Hacker Web site (http://www.happyhacker.org) and Wargame
(try out your wiles on koan.happyhacker.org and
smurfett.happyhacker.org) will be back up shortly. For more Meinel
computer security information, buy the Happy Hacker book at the
Infowar Bookstore. Warning: the first edition is almost sold out, and
the second edition won't get back from the printer until the end of
Sept.
Carolyn Meinel M/B Research --
The Technology Brokers http://techbroker.com
=-=-=-= Fyodor's Response =-=-=-=
From fyodor@dhp.com Thu Sep 10 03:05:40 1998
From: Fyodor
To: cmeinal@techbroker.com
Date: Thu, 10 Sep 1998 02:27:10 -0400 (EDT)
Subject: NMAP
-----BEGIN PGP SIGNED MESSAGE-----
Carolyn,
Someone recently sent me a copy of your "consumer report" on nmap
posted to infowar.com. This is, without doubt, one your worst
port-scanning articles since your claim last year that scanners can be
used to locate serial, parallel, and monitor ports. And that is
saying a lot! Lets take a look at what you wrote:
>1) Nmap is inaccurate in fin scan (stealth or half-open) mode.
ACK! You just proved that you haven't read the documentation. FIN
scanning is VERY different from half-open scanning. In the latter you
complete the SYN and SYN-ACK stages of the TCP connection
establishment phase. At this "half-way" point, you terminate the
session with a RST rather than going "all the way" to the established
state by sending an ACK. The FIN scan is completely different. If
you read the documentation (or just the help screen that pops up when
you run w/o arguments), you will notice that nmap lets you pick
between half-open (-S) and FIN (-U); you obviously wouldn't have a
choice if they were the same.
> It sends to each port on the victim computer a single packet with
Now you have proved you have never even RUN the program (or at least
you weren't paying attention). Your main critical point seems to be
that nmap only sends one packet. This is not true! Read the code and
notice (nmap.c line 1820):
if (++trynum[i] >= retries) {
if (o.verbose || o.debugging)
printf("Good port %d detected by fin_scan!\n", portno[i]);
addport(&target->ports, portno[i], IPPROTO_TCP, NULL);
As you can see (or you could see if you were a C programmer), nmap
only counts the port open after failing to get a response 'retries'
times. The default is 2.
> Try fin scanning a nonexistent host and you will see all ports
> reported open.
No. By default nmap will ping the host first and report NO PORTS open
unless it recieves an echo reply from the target host. A down host
will NOT send a ping packet back. Again, run the program before
making assumptions. http://www.insecure.org/nmap .
> On a theoretical basis, any scanner that sends only a single packet to
> probe each port is vulnerable to false results.
You are making this up. Where the hell did this come
up with this "only a single packet" crap? Even if you don't know C,
haven't you used tcpdump to watch what happens during a FIN scan?
> However, it is a
> simple thought experiment to conceive of a half-open port scanner
> whose probability of accuracy approaches arbitrarily close to 1.
First of all, stop saying half-open when you mean FIN scan. I suppose
the answer to your "thought experiment" is to retry a large number of
times before declaring the port open? This is why I added a retry
variable rather than hard coding it! If your connection is this
whacked, set retries to 10 and see how many misdiagnosed ports you
get.
>2) Half-open port scans are only stealthy against a naive sysadmin.
You should talk considering you have proven that you don't even know
what a half-open scan is!
> On a theoretical basis, the half-open connection technique is
> impossible to make stealthy. The attacker must get back data from the
> victim computer. This means a valid IP address must be shown in the
> packets with which it probes, and that the attacker must at some point
> access the host computer belonging to that valid IP address to get
> Nmap's results.
Stop pretending you are an expert or that you even know what you are
talking about. In fact, you are absolutely *wrong*. There are
several obvious ways to get around this problem. No, I do not have
time to educate you about them. One way has already been implemented
in the current beta release of nmap.
Carolyn, I used to wonder why the entire hacking community seems to
hate your guts. Now it is clear. You spout off complete BS without
any clue of what you are talking about and you also specifically target
beginners on your mailing lists because they may not know enough yet
to see through your mindless technoblather. By indoctrinating them
with your incorrect guesses (portrayed as facts) about how the
Internet works, you will undoutedly cause them enourmous grief when
they actually try to apply some of your "techniques" in the REAL WORLD.
Cheers,
Fyodor
- --
Fyodor 'finger fyodor@dhp.com | pgp -fka'
Frustrated by firewalls? Try nmap: http://www.dhp.com/~fyodor/nmap
In a free and open marketplace, it would be surprising to have such an
obviously flawed standard generate much enthusiasm outside of the criminal
community. --Mitch Stone on Microsoft ActiveX
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBNfdxQc4dPqJTWH2VAQF7rgP/e3KOaAAVa7+QqZIdjU7J/4pDaDf2Vtxa
YAfYjlCjmDWesgdFsCQSeIKZ8EcVsU44tvwg5UpbYIoKnLYn74gPkwndS/Lc2NGu
VFuCJny6DAVi7fzTqjqfAYLnCVvHEzzAFtNV99ZmMvvTnKrbsvGPYxOC0UXNiQtq
0nMRunzJbaw=
=9l+x
-----END PGP SIGNATURE-----
=-=-=
From fyodor@dhp.com Sat Sep 12 01:18:50 1998
From: Fyodor
To: cmeinel@techbroker.com
Date: Sat, 12 Sep 1998 01:07:18 -0400 (EDT)
Subject: Re: NMAP
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 11 Sep 1998, Carolyn Meinel wrote:
> Sorry about the single packet stuff, I will have to correct
> that.
This doesn't explain where you came up with the single packet
stuff. Do you admit to just making it up?
> Many other people define half-open as meaning a connection in which the
> three way handshake is not completed. So I go with that
> definition.
I have been distributing a popular port scanner for more than a
year and I wrote a port scanning article in Phrack51. Yet I have
never seen __anyone__ except you refer to the FIN scan as
"half-open". Being "half-open" implies that you have at least
__started__ the connection establishment (ie SYN scan). The FIN
scan does not in any way perform any portion of TCP connection
establishment, so calling it "half-open" is absurd.
If "many other people" do call the FIN scan half-open, they
"learned" it from your silly mailing list. I claimed earlier
that your mailing list confuses people and points them in the
wront direction -- you have just proven my case!!!
> The important issue is that many people believe that nmap allows
> stealth port scanning, when it does not.
Why do you always assume that anything you cannot do is
impossible? Even nmap 1.51 allows for extreme stealthiness, but
you need to read the directions and think a little bit.
- --
Fyodor 'finger fyodor@dhp.com | pgp -fka'
Frustrated by firewalls? Try nmap: http://www.dhp.com/~fyodor/nmap
In a free and open marketplace, it would be surprising to have such an
obviously flawed standard generate much enthusiasm outside of the criminal
community. --Mitch Stone on Microsoft ActiveX
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBNfoBic4dPqJTWH2VAQHw9AP/bAXWXdm5xkewPgNj0paxMfgvtYwpGhPW
PV+LPrRO49mFV92y2eeBi413IPtYAqBGF0jNXN0UTji3skgzMgKOLeXAHUEXwW6c
xNSJTf+dwVC0wix7O5D/OxkcE/wzQ1dP9S4ZpnJFtRXfB/0hBcz/eekPdSg00aRP
Dc1t99DIhSo=
=6vxd
-----END PGP SIGNATURE-----