I'm beginner in using map and I read reference guide in nmap homepage. When I read host discovery with -P* options I suddenly had question about it.
There are -PS option in nmap and it sends syn packet to server to determine server is turned on or not. If nmap gets ACK/SYN packet for three-way handshake then it means server is turned on. If nmap get RST then it means that server is shut down. If timeout occur then firewall is exist between server and user computer...
Nmap homepage guide book saids they give -PA option to give more change for bypassing firewall. I thought if we send ACK packet instead of SYN then server will send RST packet for response in both case. Server is turned on or not. If timeout occur then we can determine firewall is exist. So I think usage of -PA is check firewall instead of check server is turned on or not.
My question is that I'm not sure about above things. Because I'm not good at network yet and beginner in this area. Did I understand correctly?
For the -P* options, Nmap considers any response from the server to be an indication that the server is up. Both SYN/ACK and RST packets count, as do several types of ICMP response like Port Unreachable. The specific type of response may indicate the state of the port, and would be analyzed by the port scan (-s* options), but for host discovery, any response is as good as another.
Related
We are facing a technical issue with networking, which I'm not able to comprehend.
We are using Linphone Client to connect to x.x.x.125(Freeswitch box) via x.x.x.101 i.e .101 being a SIP proxy Flexisip.
The SIP flow look as below.
[ Linphone box ] <-> [ `.101` box ] <-> [ `.125` box ]
Now when we register i.e SIP REGISTER request (without VPN connected) to .125 via .101 it works i.e Registration is a success, saying this because I was sniffing around the traffic with TCP dump on both .101 and Linphone Client box (both had 200 OK Response for Register request).
Now here is the deal, when we make a call i.e send SIP INVITE request without VPN connected. We see no traffic on .101 box but same can be found on Linphone box hinting that request is directed to .101.(but at the same time I can constantly see OPTIONS request appearing from .101 to Linphone Machine and also a 200K response getting sent from Linphone machine for OPTIONS request.)
Now, The sooner we connect to VPN, we see the request appearing on the .101 box from Linphone box
Now, had this behaviour would have stayed constant, I would have suspected the Firewall rule but the it would work during SIP REGISTER and not using Regular INVITE invite is something I'm able to understand here.
And when we are connected to VPN it work.
NOTE: If I assume this is a packet loss as a part of UDP even the retransmission too does not go through and this happen in multiple run..
It's only the INVITE packet would not be sent always does not happen with REGISTER request.
Here how the sip flow looks like
Given the REGISTER requests are getting through that rules out an IP routing and firewall issue (assuming it's not doing deep inspection on SIP packets).
That leaves the two most likely culprits as the client software (in this case Linphone) using the wrong network interface,
Try running a test with a tool like sipp where you can explicitly set the local address to use and the type of SIP request to send.
# To test the user agent client scenario (which sends INVITE requests) use:
sipp -bind_local 10.1.10.1 -sn uac -m 1 x.x.x.125
Update:
Some observations from inspecting the packet captures:
In the no VPN case:
there is a NAPT between the softphone and the Proxy translating 10.1.10.1 to 49.36.13.47, e.g. 10.1.10.1:39248 mapped to 49.36.13.47:44150.
REGISTER responses do appear to be coming from the FreeSWITCH server at 63.211.239.125 according to the User Agent string of Flexisip... on the response.
in agreement with the original post there are no responses at all to INVITE requests in the capture.
there are no fragmented UDP packets captured.
In the VPN case:
there is no NAPT between the softphone and the Proxy. The softphone traffic is originating from 172.17.8.37.
the softphone is using an IP address of 192.168.29.134 in it's SDP offer which means the device likely has multiple network interfaces.
there is a fragmented UDP packet recorded when the softphone sends an INVITE request to the Proxy but it doesn't seem to be an issue as the Proxy happily forwards the request to the FreeSWITCH server.
Missing Data:
The no VPN capture does not contain the traffic between the Proxy and the FreeSWITCH server. This is the most crucial leg for the analysis since it could show whether the Proxy is forwarding the INVITE request or not.
Running tcpdump directly on the Proxy would be able to provide this missing information.
Updated Guess:
Based on the still incomplete information my best guess would now be that that Proxy has misconfigured (or perhaps deliberate) SIP settings and is silently dropping INVITE requests received on public interfaces.
When the softphone connects on the VPN the INVITE requests are forwarded because they are considered to originate from an internal network.
For REGISTER requests the Proxy could have a rule that says always forward them no matter which interface the Proxy receives them on since they are not as risky as INVITES.
If the path is different, the INVITE will go through different networks and they may not behave the same.
I can see 2 possible issues with the network used when VPN is not active:
A NAT has an ALG which, being broken, would drop the INVITE and let the other ones go through. This is unlikely, because it's happening for several User-Agent your tried.
The network is configured to drop packet larger than a specific size. This is very likely because the INVITE, with all User-Agent, is always the largest SIP message being sent.
I would advise you:
Try TCP: This should confirm it's a UDP only issue.
Try to remove all codecs and keep only PCMA, with UDP: if it works, it's likely a UDP/MTU/SIZE issue.
EDIT:
To make it clear, you certainly have an MTU issue.
Thus, I advise you to test your UDP network and the MTU size limit with and without the VPN. You don't have to use your android, but you need to use the same network.
On sip server, starts:
$> nc -u -l -p 2399
On LAN side, any PC with same network with netcat tool...
$> cat invite1000.example | nc -u sip.antisip.com 2399
$> cat invite1200.example | nc -u sip.antisip.com 2399
$> cat invite1500.example | nc -u sip.antisip.com 2399
$> cat invite2000.example | nc -u sip.antisip.com 2399
$> cat invite8000.example | nc -u sip.antisip.com 2399
Make several invitexxx.example files with any data, but with specific number of char in it.
In theory, nc/netcat on the server will stop receiving the packets when going over the MTU (or the packet will be incomplete).
Then, this will confirm it's an MTU issue.
I want to implement a telnet server which listens on different ports for different applications. How to do it in a clean and efficient way?
Suppose I am able to do it, i.e my telnet server listens on port 23 and 12345. If an attacker launches an SYN flooding attack against the telnet server on my telnet server at port 23. What will happen to another port - 12345, when the attack is successful? Is it still accessible?
A SYN flood attack is fully handled in the OS kernel. A server doing accept will only return from accept if the three-way-handshake to establish the TCP connection was already successful, which is not the case with SYN flooding.
But, SYN flooding will affect the memory usage of the system. If this will only affect the single socket or will affect the system in general depends on the OS and maybe its configuration. But it should not actually matter if there is a process handling multiple sockets vs. multiple processes each handling a single socket.
I establish a TCP connection between my server and client which runs on the same host. We gather and read from the server or say source in our case continuously.
We read data on say 3 different ports.
Once the source stops publishing data or gets restarted , the server/source is not able to publish data again on the same port saying port is already bind. The reason given is that client still has established connection on those ports.
I wanted to know what could be the probable reasons of this ? Can there be issue since client is already listening on these ports and trying to reconnect again and again because we try this reconnection mechanism. I am more looking for reason on source side as the same code in client sides when source and client are on different host and not the same host works perfectly fine for us.
Edit:-
I found this while going through various article .
On the question of using SO_LINGER to send a RST on close to avoid the TIME_WAIT state: I've been having some problems with router access servers (names withheld to protect the guilty) that have problems dealing with back-to-back connections on a modem dedicated to a specific channel. What they do is let go of the connection, accept another call, attempt to connect to a well-known socket on a host, and the host refuses the connection because there is a connection in TIME_WAIT state involving the well-known socket. (Stevens' book TCP Illustrated, Vol 1 discusses this problem in more detail.) In order to avoid the connection-refused problem, I've had to install an option to do reset-on-close in the server when the server initiates the disconnection.
Link to source:- http://developerweb.net/viewtopic.php?id=2941
I guess i am facing the same problem: 'attempt to connect to a well-known socket on a host, and the host refuses the connection'. Probable fix mention is 'option to do reset-on-close in the server when the server initiates the disconnection'. Now how do I do that ?
Set the SO_REUSEADDR option on the server socket before you bind it and call listen().
EDIT The suggestion to fiddle around with SO_LINGER option is worthless and dangerous to your data in flight. Just use SO_RESUSEADDR.
You need to close the socket bound to that port before you restart/shutdown the server!
http://www.gnu.org/software/libc/manual/html_node/Closing-a-Socket.html
Also, there's a timeout time, which I think is 4 minutes, so if you created a TCP socket and close it, you may still have to wait 4 minutes until it closes.
You can use netstat to see all the bound ports on your system. If you shut down your server, or close your server after forking on connect, you may have zombie processes which are bound to certain ports that do not close and remain active, and thus, you can't rebind to the same port. Show some code.
I have installed freeswitch on a machine which is kept in the LAN behind the firewall named PFSense.I was looking in the freeswitch logs and I found that there are some unknown sip request coming from the unknown IP from outside of the network.
I have not done any setting or port forwarding in the pfsense.But don't know why this is happening.Please tell me how can I block those requests.
Thanks
it's most probably just typical port scanners. They scan for port 5060 and then try to send some INVITE or REGISTER requests there. It's quite harmless if your PBX is secure enough.
I have chosen QuteCom SIP client for windows to chat.I have installed and configured the account with my public server. My SIP server is kamailio.The connection to the server is not established. The application is connecting to the server for a long time.
Any help is appreciated.
If looks like keep connecting, then I guess the SIP messages don't get to the server.
You can install Wireshark to monitor traffic on windows host on port 5060 (the SIP port) in order to see if SIP messages are sent to the server.
On server, you can install ngrep for the purpose of seeing if traffic from the phone comes there. The command would be like:
ngrep -d any -qt -W byline port 5060
If you don't see traffic coming to the SIP server, then might be a firewall or an ALG between the client and the server, or, a firewall even on client host or server itself.
If it is something in between (not on client host or server), then you should try to use TCP or better TLS.
Note that if you have the firewall on the server, you will see the SIP packets coming on the network, but they will be dropped by the kernel before getting to application layer. Typically on Linux you can see the firewall rules with:
iptables -L
If the SIP packets come to the server, then set debug=3 in kamailio.cfg, restart kamailio and watch the syslog file (e.g., /var/log/syslog or /var/log/messgaes) for kamailio-specific debug messages -- you should get hints of what happens during processing.