search

robertdavidgraham / masscan

TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
GNU Affero General Public License v3.0
23.26k stars 3.04k forks source link

Sometimes resets connection instead of retrieving banner #133

Closed githubparser closed 9 years ago

githubparser commented 9 years ago

I've noticed that for a lot of hosts, masscan does not record proper banner detail when I run in Ubuntu, compared to OS X. Instead, it sends a reset packet. For example, scanning port 22 on 64.180.81.197:

sudo masscan --banners 64.180.81.197 -p 22

Broken (Ubuntu):

22:20:25.499697 IP Scanner.48825 > 64.180.81.197.22: Flags [S], seq 2668587924, win 1024, length 0
22:20:25.544191 IP 64.180.81.197.22 > Scanner.48825: Flags [S.], seq 2276952563, ack 2668587925, win 4128, options [mss 536], length 0
22:20:25.544220 IP Scanner.48825 > 64.180.81.197.22: Flags [R], seq 2668587925, win 0, length 0
22:20:25.544296 IP Scanner.48825 > 64.180.81.197.22: Flags [.], ack 1, win 1200, length 0
22:20:25.587166 IP 64.180.81.197.22 > Scanner.48825: Flags [R], seq 2276952564, win 0, length 0

Working (OS X):

21:17:56.928091 IP 10.0.1.4.48675 > 64.180.81.197.22: Flags [S], seq 2661271461, win 1024, length 0
21:17:57.061959 IP 64.180.81.197.22 > 10.0.1.4.48675: Flags [S.], seq 637624112, ack 2661271462, win 4128, options [mss 536], length 0
21:17:57.934641 IP 10.0.1.4.48675 > 64.180.81.197.22: Flags [.], ack 1, win 600, length 0
21:17:57.973210 IP 64.180.81.197.22 > 10.0.1.4.48675: Flags [P.], seq 1:21, ack 1, win 4128, length 20

I've tried a few different builds. It looks like it tries to complete the 3-way at the same time that it's resetting..? On other IPs that are otherwise identical systems, it works fine.

On a60cc7046b ..

Mildly puzzling. Any suggestions?

githubparser commented 9 years ago

Debug..

Ubuntu:

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2014-12-10 15:02:07 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [1 port/host]
begin receive thread0.00% done, waiting 0-secs, found=0
64.180.81.197  :   22: -> TCP ackno=0xab9c2e22 flags=0x12(syn-ack)
64.180.81.197  :   22: =STATE_SYN_SENT : TCP_WHAT_SYNACK
Discovered open port 22/tcp on 64.180.81.197
64.180.81.197  :   22: -> TCP ackno=0x00000000 flags=0x04(rst)
64.180.81.197  :   22: =STATE_READY_TO_SEND : TCP_WHAT_RST
64.180.81.197 - bad cookie: ackno=0xffffffff expected=0xab9c2e21
recv: end receive thread #0one, waiting 0-secs, found=1
xmit: stopping transmit thread #0
EXITING main thread00.00% done, waiting 0-secs, found=1

Pcap

22:20:25.499697 IP Scanner.48825 > 64.180.81.197.22: Flags [S], seq 2668587924, win 1024, length 0
22:20:25.544191 IP 64.180.81.197.22 > Scanner.48825: Flags [S.], seq 2276952563, ack 2668587925, win 4128, options [mss 536], length 0
22:20:25.544220 IP Scanner.48825 > 64.180.81.197.22: Flags [R], seq 2668587925, win 0, length 0

OS X:

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2014-12-10 15:02:52 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [1 port/host]
begin receive thread0.00% done, waiting 0-secs, found=0
64.180.81.197  :   22: -> TCP ackno=0x9dd762c2 flags=0x12(syn-ack)
64.180.81.197  :   22: =STATE_SYN_SENT : TCP_WHAT_SYNACK
Discovered open port 22/tcp on 64.180.81.197
64.180.81.197  :   22: -> TCP ackno=0x9dd762c2 flags=0x18(psh-ack)
64.180.81.197  :   22: =STATE_READY_TO_SEND : TCP_WHAT_ACK
64.180.81.197 - 0-sending, 0-reciving
64.180.81.197  :   22: =STATE_READY_TO_SEND : TCP_WHAT_DATA
Banner on port 22/tcp on 64.180.81.197: [ssh] SSH-1.99-Cisco-1.25
64.180.81.197  :   22: -> TCP ackno=0x9dd762c3 flags=0x10(ack)
64.180.81.197  :   22: -> TCP ackno=0x9dd762c3 flags=0x19(fin-psh-ack)
xmit: stopping transmit thread #0aiting 0-secs, found=1
recv: end receive thread #0one, waiting 0-secs, found=1
EXITING main thread00.00% done, waiting -1-secs, found=1
githubparser commented 9 years ago

I figured out that it was OS stack interference by using strace on masscan, but today I actually found that this is already captured in in the manpage document (woops!):

From the manpage file (masscan.8):

SPURIOUS RESETS When scanning TCP using the default IP address of your adapter, the built-in stack will generate RST packets. This will prevent banner grabbing. There are are two ways to solve this. [...]

I won't post the full explanation here, but this is a known and documented behaviour. Might be worth adding a note in the README.md under bannering, or suggesting in README.md to also read the manpage.