Live from the PaulDotCom Security Weekly Studio....
Email: psw@pauldotcom.com(Bandwidth provided by OSHEAN)
- Sponsored by The SANS Institute, get schooled at Bootcamp 2007 in Orlando, FL January 13-19! Now drop and give me 20 exploits!
- Want to register for any SANS conference? Please visit http://www.pauldotcom.com/sans/ for our referral program.
- Sponsored by Core Security, listen for the discount code at the end of the show
- Sponsored by Syngress, be the first to post the answer to the question at the end of the show and win a free book!
- Sponsored by Astaro, Astaro Security Gateway line of network security appliances. Listen to the show for a special offer!
- Please go update our frapper map!
- Want some cool PaulDotCom Gear? Do you hack naked? Check out our Cafepress Store!
- Full Show Notes
Email: psw@pauldotcom.com
Audio Feeds: 
By default, Nmap sends a TCP ACK packet to port 80 and an ICMP Echo Request query to every host specified in the nmap call. If you are on the same local ethernet network an ARP Scan is used. If user running nmap has not enough privileges a SYN packet is sent instead of the ack using the connect() system call.
For example, if I was in my local network with an IPv4 192.168.1.6 host running 2.6.x Linux and I wanted to nmap scanme.nmap.com the Wireshark output would be something like:
Name resolution:
SOURCE: 192.168.1.6 DESTINATION: MyDNS_Server PROTOCOL: DNS DATA: Standard query A scanme.nmap.com
SOURCE: MyDNS_Server DESTINATION: 192.168.1.6 PROTOCOL: DNS DATA: Stardard query response A 205.217.153.62
First test, ICMP Ping:
SOURCE: 192.168.1.6 DESTINATION: 205.217.153.62 PROTOCOL: ICMP DATA: Echo (ping) request. ICMP type 8. Code 0.
SOURCE: 205.217.153.62 DESTINATION: 192.168.1.6 PROTOCOL: ICMP DATA: Echo (ping) reply. ICMP type 0. Code 0.
Second Test, TCP ACK packet:
SOURCE: 192.168.1.6 DESTINATION: 205.217.153.62 PROTOCOL: TCP DATA: DestinationPort:80 SequenceNumber:0 ACK_Number:0 HeaderLength:20bytes Flags:0x0010 (ACK) WindowSize:1024
SOURCE: 205.217.153.62 DESTINATION: 192.168.1.6 PROTOCOL: TCP DATA: SourcePort:80 SequenceNumber:0 HeaderLength:20bytes Flags:0x0004 (RST) WindowSize:0
After that, by default nmap starts sending TCP SYN packets to every port (but in random order), SequenceNumber:0 Len:0 MaximumSegmentSize:1460
If it gets a TCP RST ACK from a given port Nmap considers it Closed. If it gets a TCP SYN ACK then the port is "willing to do the TCP3wayhandshake" and nmap considers it an open port.
Discovered by using Wireshark and scanning a host with NMAP:
An ICMP echo request (ping) and an ACK packet with destination port 80, sequence number 0 and window size 4096
Merry Xmas!
Nmap sends these packets by default:
SYN to port 80 (www).
If the host is up and port 80 is open it will reply with a SYN, ACK. If port 80 isn't open and the host is up it will reply with a RST, ACK, closing the connection.
If the host replys with SYN, ACK, nmap will reply with ACK, completing the three-way handshake, and then a RST, ACK, closing the connection.
Regarding Wimax. I used to work for an OEM in the Wimax race. The initial product was designed to compete with cable and ISDN modems, so it was wireless yet stationary using a home device that mounted on your roof, or a cable modem like box with an antenna.
At the time, the mobile profiles were still unstable, but that was next. There was also some talk of mobile phone providers ultimately using Wimax as their wireless technology.
So after Wimax as a cable modem replacement technology, I see it getting smaller and providing laptops with metro-area wireless and then eventually providing cell phones and PDA with wireless access.
One provider was also planning to use it as a backbone technology in a location where erecting towers every 30km or so was going to be cheaper than running wires.
So, Do I win?