Ports are now considered open during a SYN scan if a SYN packet (without the ACK

flag) is received in response. This can be due to an extremely rare TCP feature
known as a simultaneous open or split handshake connection.
see http://nmap.org/misc/split-handshake.pdf
Added a reason code: ER_SYN and associated reason string: "split-handshake-syn".

CHANGELOG

@@ -1,5 +1,12 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o Ports are now considered open during a SYN scan if a SYN packet
+  (without the ACK flag) is received in response. This can be due to
+  an extremely rare TCP feature known as a simultaneous open or split
+  handshake connection. see http://nmap.org/misc/split-handshake.pdf
+  Added a reason code: ER_SYN and associated reason string:
+  "split-handshake-syn".
+
 o [NSE] Fixed a bug in qscan.nse which gave an error if a confidence
   level of 0.9995 was used.  Thanks to Marcin Hoffmann for noticing
   the problem. [Kris]

portreasons.cc

@@ -106,8 +106,8 @@ class PortList;
 
 /* Possible plural and singular reasons */
 const char *reason_text[ER_MAX+1]={ 
-        "reset", "conn-refused", "syn-ack", "syn-ack",  "udp-response",
-        "proto-response", "perm-denied",
+        "reset", "conn-refused", "syn-ack", "syn-ack", "split-handshake-syn",
+        "udp-response", "proto-response", "perm-denied",
         "net-unreach", "host-unreach", "proto-unreach",
         "port-unreach", "echo-reply", "unknown", "unknown", "dest-unreach",
         "source-quench", "net-prohibited", "host-prohibited", "unknown", 
@@ -119,8 +119,8 @@ const char *reason_text[ER_MAX+1]={
 };
 
 const char *reason_pl_text[ER_MAX+1]={ 
-        "resets", "conn-refused", "syn-acks", "syn-acks",  "udp-responses",
-        "proto-responses", "perm-denieds",
+        "resets", "conn-refused", "syn-acks", "syn-acks", "split-handshake-syns",
+        "udp-responses", "proto-responses", "perm-denieds",
         "net-unreaches", "host-unreaches", "proto-unreaches",
         "port-unreaches", "echo-replies", "unknowns", "unknowns", "dest-unreaches",
         "source-quenches", "net-prohibiteds", "host-prohibiteds", "unknowns", 

portreasons.h

@@ -127,19 +127,19 @@ typedef struct port_reason_summary {
 /* portreasons.h:reason_codes and portreasons.cc:reason_str must stay in sync */
 enum reason_codes {
 	ER_RESETPEER=0, ER_CONREFUSED, ER_CONACCEPT, 
-	ER_SYNACK, ER_UDPRESPONSE, ER_PROTORESPONSE, ER_ACCES, /* 7 */
+	ER_SYNACK, ER_SYN, ER_UDPRESPONSE, ER_PROTORESPONSE, ER_ACCES, /* 8 */
 
 	ER_NETUNREACH, ER_HOSTUNREACH, ER_PROTOUNREACH,
-	ER_PORTUNREACH, ER_ECHOREPLY,  /* 11 */
+	ER_PORTUNREACH, ER_ECHOREPLY,  /* 12 */
 
 	ER_DESTUNREACH=14, ER_SOURCEQUENCH, ER_NETPROHIBITED,
 	ER_HOSTPROHIBITED, ER_ADMINPROHIBITED=20,
 	ER_TIMEEXCEEDED=22, ER_TIMESTAMPREPLY=25,
 
-	ER_ADDRESSMASKREPLY=29, ER_NOIPIDCHANGE, ER_IPIDCHANGE,
+	ER_ADDRESSMASKREPLY=30, ER_NOIPIDCHANGE, ER_IPIDCHANGE,
 	ER_ARPRESPONSE, ER_TCPRESPONSE, ER_NORESPONSE,
 	ER_INITACK, ER_ABORT,
-	ER_LOCALHOST, ER_SCRIPT, ER_UNKNOWN, ER_USER, ER_MAX=ER_USER   /* 41 */
+	ER_LOCALHOST, ER_SCRIPT, ER_UNKNOWN, ER_USER, ER_MAX=ER_USER   /* 42 */
 };
 
 /* Be careful to update these values if any ICMP
@@ -147,8 +147,8 @@ enum reason_codes {
  *
  * ICMP ER_* codes are calculated by adding the 
  * offsets below to an ICMP packets code/type value */
-#define ER_ICMPCODE_MOD 7  
-#define ER_ICMPTYPE_MOD 11  
+#define ER_ICMPCODE_MOD 8  
+#define ER_ICMPTYPE_MOD 12  
 
 /* passed to the print_state_summary.
  * STATE_REASON_EMPTY will append to the current line, prefixed with " because of"

scan_engine.cc

@@ -4102,6 +4102,10 @@ static bool get_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
 	    /* Yeah!  An open port */
 	    newstate = PORT_OPEN;
 	    current_reason = ER_SYNACK;
+	  } else if (USI->scantype == SYN_SCAN && tcp->th_flags == TH_SYN) {
+	    /* A SYN from a TCP Split Handshake - open port */
+	    newstate = PORT_OPEN;
+	    current_reason = ER_SYN;
 	  } else if (tcp->th_flags & TH_RST) {
 	    current_reason = ER_RESETPEER;
 	    if (USI->scantype == WINDOW_SCAN ) {