How can I get nmap to close connections gracefully?

0
votes

I use nmap's default stealth scan as a means to determine port status on client systems. It recently came to my attention that this was causing error logging on the client side due to the reception of the RST packet during the connection.

I've modified nmap to use tcp connect() (-sT option) instead, but upon review of the packets, can confirm that the RST packet is still sent to close the connection.

Is there anyway to get nmap to do both connect() and close the connection with FIN?

For further information on the exact exchange:

Default scan:
Source - SYN
Dest - SYN-ACK
Source - RST-ACK

TCP Connect scan:
Source - SYN
Dest - SYN-ACK
Source - ACK
Source - RST

What's Needed:
Source - SYN
Dest - SYN-ACK
Source - ACK
Source - FIN
Dest - FIN-ACK
Dest - FIN
Source - FIN-ACK

Note that I only need to control what is happening on source.

1
tcphandshakenmapport-scanning
Can you provide some code you tried?Felipe Augusto
@FelipeAugusto I'm having trouble with formatting, I will post the command in the next reply to separate it from the text.Niel
nmap -sT ${ip} -p ${port} -Pn 2>/dev/nullNiel
If it helps, I found nothing in the documentation that talks about how nmap closes its connections. However, I feel that since it is a port scanner, it follows that it wants to close out the connections as fast as it can to move on to the next port. This would involve a RST instead of the full interaction on a close(). I would simply like for someone to confirm this.Niel
May you should then try ncat or socat in a suitable loop - both will do what you want.countermode

1 Answers

0
votes

As I have not received much response here, I decided to operate under the assumption that even with a TCP connect() scan, nmap will disconnect with a RST for performance reasons.

My final solution was to mix two separate scans:

FIN scan - to distinguish between closed and open|filtered
ACK scan - to distinguish between filtered and unfiltered

I used bash to determine between all three states with the following conditional statement: 

FSTATUS=$(sudo nmap -sF ${HL7_OUTBOUND_IP} -p ${HL7_OUTBOUND_PORT} -Pn 2>/dev/null | grep "^${HL7_OUTBOUND_PORT}" | awk '{print $2}')  
if [[ $FSTATUS == "filtered" || $FSTATUS == 'open|filtered' ]]; then  
    ASTATUS=$(sudo nmap -sA ${HL7_OUTBOUND_IP} -p ${HL7_OUTBOUND_PORT} -Pn 2>/dev/null | grep "^${HL7_OUTBOUND_PORT}" | awk '{print $2}');  
if [[ $ASTATUS == "unfiltered" ]]; then  
        PORT_STATUS="OPEN";  
else  
        PORT_STATUS="FILTERED";  
    fi  
else  
    PORT_STATUS="CLOSED";  
fi

This distinguished between all three states, and did not send a RST, allowing me to get a similar result to the SYN scan.