Nmap: ACK Scan - Paiet/SEC-335 GitHub Wiki
-
Kathy
- Used in an attempt to map firewall/filtering rules for target
-
How is that done?
- Send an ACK and random sequence number
- NO RESPONSE = filtered
- RST = not filtered
- Only works on RFC 793 compliant stacks
nmap -sA <targetIP>
- Send an ACK and random sequence number
-
There are some variations to this type of scan?
- TTL-based
- If TLL values are lower than 64
-
nmap -ttl 70 <targetIP>- Learn target's TTL through packet inspection
--packet-trace--reason
- Learn target's TTL through packet inspection
- Window-based
- All about the window size
- If target returns
- RST + Non-Zero Window = Port OPEN
- RST + Zero Window = Port CLOSED
- No Response = FILTERED
- Can't really trust this scan as the OS may not be compliant
- See
man nmapand search for-sW
- See
- Can't really trust this scan as the OS may not be compliant
- If target returns
- All about the window size
- TTL-based