Many of the most recent issues are based on Microsoft's implementation of raw sockets. Raw sockets are methods built into the operating system that allow a developer to bypass the normal TCP/IP processing of the kernel. This means that programmers can create customized (or raw) TCP/IP frames, a functionality that's critical for security programs. Many of nmap's functions make extensive use of these raw sockets.
Many of the most recent issues are based on Microsoft's implementation of raw sockets. Raw sockets are methods built into the operating system that allow a developer to bypass the normal TCP/IP processing of the kernel. This means that programmers can create customized (or raw) TCP/IP frames, a functionality that's critical for security programs. Many of nmap's functions make extensive use of these raw sockets.
With the implementation of Windows XP Service Pack 2 (SP2), Microsoft has removed the ability to create TCP frames through the raw sockets Application Programming Interface (API). UDP packets with spoofed IP addresses are also prevented with SP2. To work around these SP2 raw socket issues, nmap was modified to create raw Ethernet frames instead of raw TCP/IP frames.nmap's raw socket functions can now only create frames on Ethernet networks.
Microsoft also implemented another TCP/IP stack change to Windows XP SP2 that limits the number of simultaneous outbound TCP connections. This has a chilling effect on nmap's TCP connect() scan (-sT), since this scan normally creates many TCP connections. There is at least one non-Microsoft patch that removes this limitation, but the use of this patch is outside the scope of this tutorial. The nmap-hackers mailing list archive has more information on Microsoft's changes and some of the workarounds:
http://seclists.org/lists/nmap-hackers/2004/Jul-Sep/0003.html
This handshake is often referred to as the "three way handshake" because of the three frames that pass back and forth:
The First Frame – The initial synchronize (SYN) frame is sent from the station initiating the conversation to the destination station. The SYN frame includes initial sequence numbers and the port that will be used for the conversation, as well as other initialization parameters.
The Second Frame – The destination station receives the SYN frame. If everything is in agreement, it sends an acknowledgement to the SYN (called an ACK) and its own SYN parameters.
The Third Frame – The original station receives the ACK to its original SYN, as well as the SYN from the destination device. Assuming everything is in order, the source station sends an ACK to the destination station's SYN.
This handshake occurs every time a TCP session is established. It's this three-way handshake that allows nmap to gather so much information about the ports on a device.
If there's something going on, you can bet that ICMP(internet control message protocol) is going to be there to talk about it. ICMP is a multifaceted protocol that can identify an unreachable destination, redirect traffic to another network, identify routing loops, synchronize clocks, or identify when a router is overloaded.
ICMP is extremely helpful when nmap is scanning for available ports. If some UDP data is sent to another station using a port that's not available, an ICMP "port unreachable" message is usually sent back to the originating station as a notification that data using that particular port number isn't welcome here.
when ICMP is filtered or turned off,nmap can still interpret network responses to determine which ports are open or closed. Since many smart organizations do not allow ICMP to flow through their firewall, it's not always available for nmap to use.
One of ICMP's many functions is to send 'echoes' from one station to another, usually with a program called ping. This functionality is useful when troubleshooting a device's availability.
No comments:
Post a Comment