Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Nmap ICMP/TCP Ping Insubordination

Nmap ICMP/TCP Ping Insubordination

From: Noam Rathaus <noamr_at_beyondsecurity.com>
Date: Mon, 7 Jun 2004 11:40:59 +0300

Hi,

I noticed a very inconsitent (with the man file) behavior of Nmap, I run two
command line:
1) ./nmap-3.50/nmap -PT80 -sP -d -n www.microsoft.com
(under the root user)
2) /nmap-3.50/nmap -PT80 -sP -d -n www.microsoft.com
(under the non-root user)

Both should do the same, TCP Ping the host www.microsoft.com, however this
doesn't happen:
1) Results in
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-07 11:39 IDT

Packet capture filter (device eth0): (icmp and dst host 192.168.1.5) or ((tcp
or udp) and dst host 192.168.1.5 and ( dst port 42558 or dst port 42559 or
dst port 42560 or dst port 42561 or dst port 42562))
Finished block: srtt: -1 rttvar: -1 timeout: 6000000 block_tries: 2
up_this_block: 0 down_this_block: 0 group_sz: 1
massping done: num_hosts: 1 num_responses: 0
Host 207.46.245.92 appears to be down.
Note: Host seems down. If it is really up, but blocking our ping probes, try
-P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 12.235 seconds

2) Results in
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-07 11:40 IDT
Machine 207.46.249.252 MIGHT actually be listening on probe port 80
Hostupdate called for machine 207.46.249.252 state UNKNOWN/COMBO -> HOST_UP
(trynum 0, dotimeadj: yes time: 287027)
Finished block: srtt: 287047 rttvar: 287047 timeout: 1435235 block_tries: 1
up_this_block: 1 down_this_block: 0 group_sz: 1
massping done: num_hosts: 1 num_responses: 1
Host 207.46.249.252 appears to be up.
Nmap run completed -- 1 IP address (1 host up) scanned in 1.452 seconds

----------

Now I know that normal user can't send ICMP packets, so this is the difference
I am seeing.

However, WHY does it even try to use ICMP when I strictly told it to use TCP
Ping (-PT)? 

-- 
Thanks
Noam Rathaus
CTO
Beyond Security Ltd.
Join the SecuriTeam community on Orkut:
http://www.orkut.com/Community.aspx?cmm=44441
---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help@insecure.org . List archive: http://seclists.org
Received on Jun 07 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]