masscan icon indicating copy to clipboard operation
masscan copied to clipboard

Published 20 hours ago verified publisher icon robertdavidgraham

SYN-ACK recieved, but no hosts found? Only on local subnet?

Open BeanBagKing opened this issue 5 years ago • 2 comments

This -appears- to only be an issue with TCP packets, and only on the local subnet. I do get valid results from hosts outside the subnet, and I do get at least some UDP ports found. However, even though UDP shows up in stdout, found never increments there either.

Using the packet-trace and debug/verbose options, I can see SYN-ACK and RST-ACK packets being received by masscan. However, these ports never show up in stdout, and "found" never increments.

Below is a small and slow sample just to show the behavior. I've replaced the first two octets of the IP addresses below. It may be worth noting that they are non-RFC-1918 addresses, but that the range in question is owned by us and contained within our own environment, just in case you treat RFC-1918 address space differently.

Am I doing something stupid?

Edit: Something else I've noticed, when using --ping, even outside the local subnet, a result of a "Discovered" message ("Discovered open port 0/icmp on...") doesn't increment "found" either. Similar results to the UDP findings above. Is it by design that non-TCP messages don't increment found? This isn't really important since the results still contain the message, just unexpected.

[root@rhel7:~]# masscan -p22,80,443,514,1556,8080,U:137 --rate 1 54.239.10.44 --ping --packet-trace -v -d6  
pcap: found library: libpcap.so
pfring: error: dlopen('libpfring.so'): No such file or directory
if: initializing adapter interface
if: interface=eth0
if:eth0: adapter-ip=54.239.10.53
if:eth0: type=ethernet(1)
if:eth0: adapter-mac=00-50-56-8b-03-57
if:eth0: pcap=libpcap version 1.5.3
if:eth0: opening...
if:eth0: successfully opened
if:eth0: not receiving transmits
if:eth0: looking for default gateway
if:eth0: router-ip=54.239.10.254
if:eth0:arp: resolving IPv4 address
SENT (0.0189) ARP  54.239.10.53          > 54.239.10.254         request
if:eth0: router-mac=e4-d3-f1-5e-ed-de
if:eth0: initialization done.
THREAD: recv: starting thread #0
THREAD: recv: starting main loop
THREAD: xmit: starting thread #0

Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2019-05-03 18:45:39 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
maxrate = 1.00
Initiating SYN Stealth Scan
Scanning 1 hosts [8 ports/host]
THREAD: status: starting thread
SENT (0.0473) TCP  54.239.10.53:49139    > 54.239.10.44:22       SYN
54.239.10.44   :    0: -> ARP [0] :00:00 remaining, found=0       
RCVD (0.0484) TCP  54.239.10.44:22       > 54.239.10.53:49139    RST-ACK
SENT (1.0473) ARP  54.239.10.53          > 54.239.10.44          response
SENT (2.0474) TCP  54.239.10.53:49139    > 54.239.10.44:80       SYN
RCVD (2.0482) TCP  54.239.10.44:80       > 54.239.10.53:49139    RST-ACK
SENT (3.0474) TCP  54.239.10.53:49139    > 54.239.10.44:514      SYN
RCVD (3.0483) TCP  54.239.10.44:514      > 54.239.10.53:49139    RST-ACK
SENT (4.0475) TCP  54.239.10.53:49139    > 54.239.10.44:1556     SYN
RCVD (4.0485) TCP  54.239.10.44:1556     > 54.239.10.53:49139    RST-ACK
54.239.10.25   :    0: -> ARP [0] :00:06 remaining, found=0       
SENT (5.0475) UDP  54.239.10.53:49139    > 54.239.10.44:137      
RCVD (5.0486) UDP  54.239.10.44:137      > 54.239.10.53:49139    
Discovered open port 137/udp on 54.239.10.44                                   
SENT (6.0475) TCP  54.239.10.53:49139    > 54.239.10.44:8080     SYN
RCVD (6.0486) TCP  54.239.10.44:8080     > 54.239.10.53:49139    SYN-ACK
SENT (7.0475) ICMP 54.239.10.53:8        > 54.239.10.44:0         
Discovered open port 0/icmp on 54.239.10.44                                    
SENT (8.0476) TCP  54.239.10.53:49139    > 54.239.10.44:443      SYN
THREAD: xmit done, waiting for receive thread to realize this
RCVD (8.0486) TCP  54.239.10.44:443      > 54.239.10.53:49139    SYN-ACK
RCVD (9.0485) TCP  54.239.10.44:8080     > 54.239.10.53:49139    SYN-ACK
54.239.10.44   :    0: -> ARP [0] iting 9-secs, found=0        
RCVD (11.0487) TCP  54.239.10.44:443      > 54.239.10.53:49139    SYN-ACK
RCVD (15.0489) TCP  54.239.10.44:8080     > 54.239.10.53:49139    SYN-ACK
54.239.10.44   :    0: -> ARP [0] iting 3-secs, found=0       
SENT (15.8867) ARP  54.239.10.53          > 54.239.10.44          response
RCVD (17.0490) TCP  54.239.10.44:443      > 54.239.10.53:49139    SYN-ACK
THREAD: recv: stopping thread #0waiting 0-secs, found=0       
THREAD: xmit: stopping thread #0
THREAD: status: stopping thread waiting 0-secs, found=0       
[root@rhel7:~]#                                                           

[root@rhel7:~]# masscan --regress
regression test: success!

[root@rhel7:~]# masscan -V

Masscan version 1.0.6 ( https://github.com/robertdavidgraham/masscan )
Compiled on: May  3 2019 11:57:49
Compiler: gcc 4.8.5 20150623 (Red Hat 4.8.5-36)
OS: Linux
CPU: unknown (64 bits)
GIT version: 1.0.5-74-g3020e24

BeanBagKing avatar May 03 '19 18:05 BeanBagKing

--show open,closed both when running the scan and saving to a file (especially a binary file), as well as when running ``--readscan``` after the fact.

RoganDawes avatar Aug 26 '19 12:08 RoganDawes

Masscan (in my testing) appear to only send traffic to the default gateway, so if your gateway is a security appliance it is likely the connection will not work as the gateway will only see part of the flow (and likely makes its own changes to seq/ack).

ragzilla avatar Mar 23 '22 15:03 ragzilla