Page 1 of 1

What's wrong?

Posted: 09 Jul 2005, 12:22
by Nerdz
A friend of mine keeps showing his ip on his msn... I warned him that people could scan him and blablabla... and he told me it was all bullshit. So as far as I know, I took his ip and tried to scan him with nmap -v -sS -o [ip]
and it said maybe the host is down...

The host can't be down because at the same time I was on his teamspeak server... So I tried to ping his ip and no response...

Posted: 09 Jul 2005, 14:00
by bad_brain
Firewall,mate.... :wink:
A SYN-scan is recognized by most packetfilters, even if it´s half-open (-sS).
Same with the Ping, the packets simply gets "swallowed" by the packetfilter and no response is send.
Try different methods like FIN- (-sF), Xmas-Tree-(-sX) or Null-scans(-sN) if he´s using a *nix OS (don´t work for MS, but I´m not 100% sure about that).
For a MS OS you can try a simple ping scan (-sP), nmap is using different ping methods: If the normal ICMP-packet is swallowed by the firewall it sends an TCP-datagram with the ACK-flag set which causes the target system to send a RST back, and if that still don´t work it sends a SYN-datagram which "waits" for a RST or SYN/ACK.
Another interesting option would be an ACK-scan(-sA), you must notice that only the ports which are not displayed in the scan result are the unfiltered("open") ones.
nmap is a real nice program, but far to extensive to explain all possible scan options here, so the best would be when you set up a home network and do some scans with enabled/disabled firewalls so you can experiment a bit and get experience.... :wink:

Oh, and you´re right: It is no good idea to display your IP to others IMO, and even if it´s not possible to hack into the system it opens possibilities for other stuff like flood attacks for example...