1

I am trying to close connections in command line. For instance, I am trying to close my SSH connection with this Nmap command:

$ sudo nmap -p 22 --scanflags RST <mySSHServerPublicIP>
$ sudo nmap -p 22 --scanflags FIN <mySSHServerPublicIP>

Once a TCP handshake is done (the SYN, SYN-ACK, ACK sequences is complete) and the connection is established, my understanding is that the Server, or client closes this connection gracefully by sending a FIN, or not-gracefully by sending a RST.

I also tried to spoof my server to close the connection on my client:

$ sudo nmap -p 23926 --scanflags FIN -S <mySSHServerPublicIP> <MyLocalIP> -Pn -n -e <interface>

Those commands have no effects, would anyone know why it doesn't close the connection ?

Florian Bidabé
  • 370
  • 3
  • 10
  • well, first you would have to actually hijack the TCP connection in order to inject a FIN or RST into it. if the device doesn't get the correct SYN and ACK values from your packet, it will ignore it. Most modern IP stacks are too sophisticated to predict the values that will allow the packet to be processed as part of the logical connection. Additionally, TCP requires both ends to acknowledge a FIN, so the client FINs, the server response with an ACK, and then a seperate FIN, so that both ends agree the connection is closed. – Frank Thomas Feb 29 '16 at 04:06
  • But I am expecting the see Close_Wait, after sending a FIN, but this doesn't happen. How comes TCPView can close a connection ? Does it hijack the connection ? Is this possible with tcpvcon or hping ? – Florian Bidabé Feb 29 '16 at 04:40
  • simply put, you are probably not going to be able to do what you want. Computer engineers and scientists spent decades developing a system that expressly forbids you from doing what you are trying to do. – Frank Thomas Feb 29 '16 at 06:02
  • Thank you for your answer, this is too broad tho, I hope someone will be able to come with a technical analysis. I'll make a network trace and compare what closing a connection with TCPView does, and what this nmap command does. – Florian Bidabé Feb 29 '16 at 20:44
  • By all means. I do recommend you read up on the TCP Three-way handshake for how connections are created. it will help you understand why a packet from outside the logical connection is ignored, and how it is identified (eg invalid SYN and ACK values). BTW tcpview just tells the OS to close the port. it doesn't send a packet. – Frank Thomas Feb 29 '16 at 21:13
  • Thank you for your input Frank, you are still not answering my question tho. Would you mind posting an answer with some technical details if you understand why this doesn't work ? Such as what characteristic of this TCP packet generated by nmap is unexpected? – Florian Bidabé Mar 03 '16 at 06:52

1 Answers1

0

Nmap isn't the right tool for this job.

In order to close the connection, I need to predict the TCP sequence number, increment it by one and reply a FIN or RST. It appears Scapy would allow me to do that... I will update this answer after some practical testing

Florian Bidabé
  • 370
  • 3
  • 10