Closed githubparser closed 9 years ago
Debug..
Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2014-12-10 15:02:07 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [1 port/host]
begin receive thread0.00% done, waiting 0-secs, found=0
64.180.81.197 : 22: -> TCP ackno=0xab9c2e22 flags=0x12(syn-ack)
64.180.81.197 : 22: =STATE_SYN_SENT : TCP_WHAT_SYNACK
Discovered open port 22/tcp on 64.180.81.197
64.180.81.197 : 22: -> TCP ackno=0x00000000 flags=0x04(rst)
64.180.81.197 : 22: =STATE_READY_TO_SEND : TCP_WHAT_RST
64.180.81.197 - bad cookie: ackno=0xffffffff expected=0xab9c2e21
recv: end receive thread #0one, waiting 0-secs, found=1
xmit: stopping transmit thread #0
EXITING main thread00.00% done, waiting 0-secs, found=1
Pcap
22:20:25.499697 IP Scanner.48825 > 64.180.81.197.22: Flags [S], seq 2668587924, win 1024, length 0 22:20:25.544191 IP 64.180.81.197.22 > Scanner.48825: Flags [S.], seq 2276952563, ack 2668587925, win 4128, options [mss 536], length 0 22:20:25.544220 IP Scanner.48825 > 64.180.81.197.22: Flags [R], seq 2668587925, win 0, length 0
Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2014-12-10 15:02:52 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [1 port/host]
begin receive thread0.00% done, waiting 0-secs, found=0
64.180.81.197 : 22: -> TCP ackno=0x9dd762c2 flags=0x12(syn-ack)
64.180.81.197 : 22: =STATE_SYN_SENT : TCP_WHAT_SYNACK
Discovered open port 22/tcp on 64.180.81.197
64.180.81.197 : 22: -> TCP ackno=0x9dd762c2 flags=0x18(psh-ack)
64.180.81.197 : 22: =STATE_READY_TO_SEND : TCP_WHAT_ACK
64.180.81.197 - 0-sending, 0-reciving
64.180.81.197 : 22: =STATE_READY_TO_SEND : TCP_WHAT_DATA
Banner on port 22/tcp on 64.180.81.197: [ssh] SSH-1.99-Cisco-1.25
64.180.81.197 : 22: -> TCP ackno=0x9dd762c3 flags=0x10(ack)
64.180.81.197 : 22: -> TCP ackno=0x9dd762c3 flags=0x19(fin-psh-ack)
xmit: stopping transmit thread #0aiting 0-secs, found=1
recv: end receive thread #0one, waiting 0-secs, found=1
EXITING main thread00.00% done, waiting -1-secs, found=1
I figured out that it was OS stack interference by using strace on masscan, but today I actually found that this is already captured in in the manpage document (woops!):
From the manpage file (masscan.8):
SPURIOUS RESETS When scanning TCP using the default IP address of your adapter, the built-in stack will generate RST packets. This will prevent banner grabbing. There are are two ways to solve this. [...]
I won't post the full explanation here, but this is a known and documented behaviour. Might be worth adding a note in the README.md under bannering, or suggesting in README.md to also read the manpage.
I've noticed that for a lot of hosts, masscan does not record proper banner detail when I run in Ubuntu, compared to OS X. Instead, it sends a reset packet. For example, scanning port 22 on 64.180.81.197:
Broken (Ubuntu):
Working (OS X):
I've tried a few different builds. It looks like it tries to complete the 3-way at the same time that it's resetting..? On other IPs that are otherwise identical systems, it works fine.
On a60cc7046b ..
Mildly puzzling. Any suggestions?