Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Nmap -PA -PS options - strange behaviour

  1. #1
    Just burned his ISO
    Join Date
    Jul 2007
    Posts
    9

    Default Nmap -PA -PS options - strange behaviour

    Hi all,

    Following documentation these options are for host discovering:
    -PS [portlist] (TCP SYN Ping) This option sends an empty TCP packet with the SYN flag set. The default destination port is 80 but an alternate port can be specified as a parameter.
    -PA The TCP ACK ping is quite similar to the just-discussed SYN ping -blah blah blah - The -PA option uses the same default port as the SYN probe (80)


    I'm confused, because nmap -PA and -PS are doning SYN Scan instead of PA or PS host discovery.
    Results of nmap -PA (PS) host are exactly the same like SYN SCAN.

    I've checked traffic with Wireshark and it looks like running these options you are starting to send SYN packets for 1667 ports of destination host.
    Even for -PA nmap sending only SYN packets.

    B.

    PS.
    Please resoult of -PA host "discovery"


    nmap -PA xxx.yyy

    Starting Nmap 4.20 ( ) at 2007-07-20 11:16 CEST
    RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
    RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
    Interesting ports on xxx.yyy:
    Not shown: 1661 closed ports, 28 filtered ports
    PORT STATE SERVICE
    21/tcp open ftp
    22/tcp open ssh
    25/tcp open smtp
    53/tcp open domain
    80/tcp open http
    110/tcp open pop3
    113/tcp open auth
    587/tcp open submission

  2. #2
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    This seems more like an nmap problem vice a BT2 problem.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  3. #3
    Just burned his ISO
    Join Date
    Jul 2007
    Posts
    9

    Default

    I've also tested it on FreeBSD 5.5-RELEASE whti the same resould.
    If anyone has access to other linux/unix system please test it .

    Regards
    B

  4. #4
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by bzdziagwa View Post
    I've also tested it on FreeBSD 5.5-RELEASE whti the same resould.
    If anyone has access to other linux/unix system please test it .

    Regards
    B
    Which seems to confirm that it's an Nmap issue vice a BT2 issue. Might I recommend you the nmap forum/mailing list.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  5. #5
    Just burned his ISO
    Join Date
    Jul 2007
    Posts
    9

    Default

    Does anyone can test -PA and -PS options and let me know ?
    I don't want to post something stupid on nmap mailing list

    Regards
    B

  6. #6
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by bzdziagwa View Post
    Does anyone can test -PA and -PS options and let me know ?
    I don't want to post something stupid on nmap mailing list

    Regards
    B
    But you feel ok posting "something stupid" here?
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  7. #7
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by bzdziagwa View Post
    Does anyone can test -PA and -PS options and let me know ?
    I don't want to post something stupid on nmap mailing list

    Regards
    B
    Had you considered reading the NMAP manual?

    http://insecure.org/nmap/man/man-briefoptions.html

    -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
    It would appear it's clearly written that the -PS and the -PA do the exact same thing. Just like what you're seeing.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  8. #8
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    Quote Originally Posted by streaker69 View Post
    Had you considered reading the NMAP manual?

    http://insecure.org/nmap/man/man-briefoptions.html



    It would appear it's clearly written that the -PS and the -PA do the exact same thing. Just like what you're seeing.
    What? your supossed to READ the manual that comes with the software. Whoever heard of such a thing.

  9. #9
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Frankly, I find it insulting that he's afraid to ask "something stupid" on the nmap forum/mailing list, but feels quite alright asking the same question here. I surely hope others are as offended as I am.

    If it wasn't my 1,000th post, I'd feel even worse...
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  10. #10
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by purehate View Post
    What? your supossed to READ the manual that comes with the software. Whoever heard of such a thing.
    Yep, believe it or not, people actually write manuals for others to read. Otherwise the inturweb tubes would just be clogged with pr0n.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •