书上说ACK扫描,如果对方端口是开放的,返回的RST报文TTL应该小于等于64,而大于则表示不开放。
但是我在Kail上分别对同一个C段的两台机器进行扫描时发现:
对windows主机的一个开放端口(80)扫描,得到的RST报文的TTL=128,window=32767,对一关闭的端口(11987)扫描,得到的RST报文的TTL=128,window=32767
对Linux主机(Ubuntu 16.04)的一个开放端口(22)扫描,得到的RST报文的TTL=64,window=0,对一关闭端口(12339)扫描,得到的RST报文的TTL=64,window=0
请问何解?
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
It is not that less than or equal to 64 equals an open port. It sends ACK packets to a bunch of ports on a machine at the same time. If the TTL in the RST returned by a certain port is obviously smaller than others, it means that this port may be open.
As for the case of 128/64, it is because the default TTL values of *nix and windows are different. Generally speaking, it can be considered that the default TTL value of *nix is 64 and that of windows is 128. (There will be differences depending on different system/kernel versions)