Understanding TCP URG flag [closed]

Question

I made a simple portscanner with Python using Scapy.

I setup Metasploitable and having multible ports open eg. 21, 22, 23 and 8009.

I then initiate a portscan vs those ports and Scapy does tell me that they are open.

However, if I scan ports that are not open on Metasploitable I get back TCP flag 20 which is URG TCP flag. This is taken out from a description of the URG flag.

The URG flag is used to inform a receiving station that certain data within a segment is urgent and should be prioritized. If the URG flag is set, the receiving station evaluates the urgent pointer, a 16-bit field in the TCP header. This pointer indicates how much of the data in the segment, counting from the first byte, is urgent.

Urgent data to me doesn't really ring a bell.

I don't understand why I get URG flag back, and I'm seeking an understanding of why I get it, what it means even though that the port is closed, and could I ever get a URG response back if the port was open.

Answer 1

The URG flag is used to send data on a second channel of a TCP connection. It doesn't make sense to set it unless you're also sending data. The data will be kept in a separate buffer on the receiving end, the program is signaled that there's urgent data available, and it reads using a special flag to the recv system call.

AFAIK, the only protocol that ever used it is FTP, where you set the URG flag if you wanted to send a command during a transfer. It would be presumed that the server was otherwise busy sending data and not listening for new commands, but by setting the URG flag the server was interrupted by the special signal.

Sure you read it correctly? The flag usually set on closed ports is RST.

A historical note: The URG flag was also what was making Windows 95 and NT crash with WinNuke.