Login/Register
Understanding TCP URG flag [closed]
Asked Answered
Solved tcpflags
E

1

7

I made a simple portscanner with Python using Scapy.

I setup Metasploitable and having multible ports open eg. 21, 22, 23 and 8009.

I then initiate a portscan vs those ports and Scapy does tell me that they are open.

However, if I scan ports that are not open on Metasploitable I get back TCP flag 20 which is URG TCP flag. This is taken out from a description of the URG flag.

The URG flag is used to inform a receiving station that certain data within a segment is urgent and should be prioritized. If the URG flag is set, the receiving station evaluates the urgent pointer, a 16-bit field in the TCP header. This pointer indicates how much of the data in the segment, counting from the first byte, is urgent.

Urgent data to me doesn't really ring a bell.

I don't understand why I get URG flag back, and I'm seeking an understanding of why I get it, what it means even though that the port is closed, and could I ever get a URG response back if the port was open.

Eucalyptus answered 29/6, 2014 at 13:24 Comment(2)
Since the below answer looks like the question stemmed from a misreading of the screen, I think this can be closed as "a problem that can no longer be reproduced".Leatrice
Related post: Is TCP URG (urgent data) acknowledged?Coalfish
N
15

The URG flag is used to send data on a second channel of a TCP connection. It doesn't make sense to set it unless you're also sending data. The data will be kept in a separate buffer on the receiving end, the program is signaled that there's urgent data available, and it reads using a special flag to the recv system call.

Edit: The part about it being kept in a separate buffer is only partly true; due to the specification it's difficult to tell where the urgent data starts. It's strongly recommended to not use the URG flag, or at least use the SO_OOBINLINE socket option to keep the data in the main buffer.

AFAIK, the only protocol that ever used it is FTP, where you set the URG flag if you wanted to send a command during a transfer. It would be presumed that the server was otherwise busy sending data and not listening for new commands, but by setting the URG flag the server was interrupted by the special signal.

Sure you read it correctly? The flag usually set on closed ports is RST.

A historical note: The URG flag was also what was making Windows 95 and NT crash with WinNuke.

Natheless answered 29/6, 2014 at 14:50 Comment(6)
I installed metasploitable linux dist and i booted it up with NAT. I havent done anything to it. Every single mashine is running in VM-ware. I tried several different code chuncks, and i cant get it different. So im 100% sure that i did it correctly :-)Eucalyptus
Oh, what you're seeing is decimal 20, not hex. So it's bit 0x10 and 0x4, which is ACK|RST.Natheless
Yes ofc.. you are right.. it returns 0x14 which is closed.. new language equals forgetting basic stuff.. thanks ;)Eucalyptus
telnet also uses the urgent flag.Atonsah
Note that this states that the URG flag doesn't mean the data is sent into a different buffer in general.Botch
@MatthiasBraun that's a good point, I hadn't read rfc 6093 I have to admit. Especially the bit about normal data turning into urgent.Natheless

© 2022 - 2024 — McMap. All rights reserved.