diff --git a/CHANGELOG b/CHANGELOG index b5f8ca42c..172696868 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,12 @@ # Nmap Changelog ($Id$); -*-text-*- +o Ports are now considered open during a SYN scan if a SYN packet + (without the ACK flag) is received in response. This can be due to + an extremely rare TCP feature known as a simultaneous open or split + handshake connection. see http://nmap.org/misc/split-handshake.pdf + Added a reason code: ER_SYN and associated reason string: + "split-handshake-syn". + o [NSE] Fixed a bug in qscan.nse which gave an error if a confidence level of 0.9995 was used. Thanks to Marcin Hoffmann for noticing the problem. [Kris] diff --git a/portreasons.cc b/portreasons.cc index 056363371..7a20e86a4 100644 --- a/portreasons.cc +++ b/portreasons.cc @@ -106,8 +106,8 @@ class PortList; /* Possible plural and singular reasons */ const char *reason_text[ER_MAX+1]={ - "reset", "conn-refused", "syn-ack", "syn-ack", "udp-response", - "proto-response", "perm-denied", + "reset", "conn-refused", "syn-ack", "syn-ack", "split-handshake-syn", + "udp-response", "proto-response", "perm-denied", "net-unreach", "host-unreach", "proto-unreach", "port-unreach", "echo-reply", "unknown", "unknown", "dest-unreach", "source-quench", "net-prohibited", "host-prohibited", "unknown", @@ -119,8 +119,8 @@ const char *reason_text[ER_MAX+1]={ }; const char *reason_pl_text[ER_MAX+1]={ - "resets", "conn-refused", "syn-acks", "syn-acks", "udp-responses", - "proto-responses", "perm-denieds", + "resets", "conn-refused", "syn-acks", "syn-acks", "split-handshake-syns", + "udp-responses", "proto-responses", "perm-denieds", "net-unreaches", "host-unreaches", "proto-unreaches", "port-unreaches", "echo-replies", "unknowns", "unknowns", "dest-unreaches", "source-quenches", "net-prohibiteds", "host-prohibiteds", "unknowns", diff --git a/portreasons.h b/portreasons.h index be2529885..be90c057a 100644 --- a/portreasons.h +++ b/portreasons.h @@ -127,19 +127,19 @@ typedef struct port_reason_summary { /* portreasons.h:reason_codes and portreasons.cc:reason_str must stay in sync */ enum reason_codes { ER_RESETPEER=0, ER_CONREFUSED, ER_CONACCEPT, - ER_SYNACK, ER_UDPRESPONSE, ER_PROTORESPONSE, ER_ACCES, /* 7 */ + ER_SYNACK, ER_SYN, ER_UDPRESPONSE, ER_PROTORESPONSE, ER_ACCES, /* 8 */ ER_NETUNREACH, ER_HOSTUNREACH, ER_PROTOUNREACH, - ER_PORTUNREACH, ER_ECHOREPLY, /* 11 */ + ER_PORTUNREACH, ER_ECHOREPLY, /* 12 */ ER_DESTUNREACH=14, ER_SOURCEQUENCH, ER_NETPROHIBITED, ER_HOSTPROHIBITED, ER_ADMINPROHIBITED=20, ER_TIMEEXCEEDED=22, ER_TIMESTAMPREPLY=25, - ER_ADDRESSMASKREPLY=29, ER_NOIPIDCHANGE, ER_IPIDCHANGE, + ER_ADDRESSMASKREPLY=30, ER_NOIPIDCHANGE, ER_IPIDCHANGE, ER_ARPRESPONSE, ER_TCPRESPONSE, ER_NORESPONSE, ER_INITACK, ER_ABORT, - ER_LOCALHOST, ER_SCRIPT, ER_UNKNOWN, ER_USER, ER_MAX=ER_USER /* 41 */ + ER_LOCALHOST, ER_SCRIPT, ER_UNKNOWN, ER_USER, ER_MAX=ER_USER /* 42 */ }; /* Be careful to update these values if any ICMP @@ -147,8 +147,8 @@ enum reason_codes { * * ICMP ER_* codes are calculated by adding the * offsets below to an ICMP packets code/type value */ -#define ER_ICMPCODE_MOD 7 -#define ER_ICMPTYPE_MOD 11 +#define ER_ICMPCODE_MOD 8 +#define ER_ICMPTYPE_MOD 12 /* passed to the print_state_summary. * STATE_REASON_EMPTY will append to the current line, prefixed with " because of" diff --git a/scan_engine.cc b/scan_engine.cc index 21645254c..762972562 100644 --- a/scan_engine.cc +++ b/scan_engine.cc @@ -4102,6 +4102,10 @@ static bool get_pcap_result(UltraScanInfo *USI, struct timeval *stime) { /* Yeah! An open port */ newstate = PORT_OPEN; current_reason = ER_SYNACK; + } else if (USI->scantype == SYN_SCAN && tcp->th_flags == TH_SYN) { + /* A SYN from a TCP Split Handshake - open port */ + newstate = PORT_OPEN; + current_reason = ER_SYN; } else if (tcp->th_flags & TH_RST) { current_reason = ER_RESETPEER; if (USI->scantype == WINDOW_SCAN ) {