Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Re: Detecting upstream filters

Re: Detecting upstream filters

From: Rasmus Andersson <rasmus_at_pole-position.org>
Date: Mon, 05 Mar 2001 13:23:33 +0100

Ryan,

I found out my code was written longer ago - for 2.3BETA14. Today much
of nmap is rewritten and modularized. Anyway, what I did was the
following at each place an ICMP unreachable packet is decoded:

---8<------8<------8<------8<------8<------8<---

 if (ip->ip_src.s_addr != ip2->ip_dst.s_addr) {
   log_write(LOG_STDOUT, "ICMP unreachable %d received from intermediate
router %s\n",
     icmp->icmp_code,
inet_ntoa(inet_makeaddr(htonl(ip->ip_src.s_addr),0)));
 }

---8<------8<------8<------8<------8<------8<---

The ip struct contains the headers of the received icmp-unreachable
packet while ip2 contains the headers of the offending packet (which is
sent with the unreachable as payload). So if ip->ip_src.s_addr is not
equal to ip2->ip_dst.s_addr, the unreachable is sent by another guy
(prior to these lines, ip2->ip_dst.s_addr is already checked for being
our target->host.s_addr).

This works with (at least) SYN- and UDP-scans. In the case of a
CONNECT-scan I guess the OS handles more of this stuff so it won't work
this easily.

I haven't had time to digest the newest nmap source (with scan_engine.c)
but it should be very easy to incorporate this. My main problem is to
incorporate the output in the ports table instead of just burping while
scanning. It's probably a fairly simple task - but not for me :-)

/Rasmus

Ryan Permeh wrote:
>
> send me the code and i'll integrate it into the nmap source and make a
> patch. it's a very cool idea
..
> ----- Original Message -----
> From: "Rasmus Andersson" <rasmus_at_pole-position.org>
..
> Subject: Re: Detecting upstream filters
>
> > Ryan Permeh wrote:
> > >
> > > one of the problems here is that there isn't nessecarily an icmp unreach
> > > sent on a blocked port. sometimes it just drops the packet and enters
> the
> >
> > True, but that problem has nothing to do with my issue: *when* there is
> > an unreach received that originates from a (non-masquerading)
> > intermediate, I do want to be alerted about that fact.
> >
> > > "filtered" state because no response was read. this may not even work
> when
> > > an intermediate decides to send an ICMP packet, because, if i remember
> > > correctly, pcap filters are placed to collect input, and intermediates
> are
> > > not in the filters collected.
> >
> > As I wrote, it does work. I have working code but it spews out the info
> > during the scan instead of nice and tidily in the table.
> >
> > Slainte
> > Rasmus
> >
> > ---------------------------------------------------------------------
> > For help using this (nmap-dev) mailing list, send a blank email to
> > nmap-dev-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
Received on Mar 05 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos