Hi,
As seen in pen-test mailing list severals weeks ago some people find it
usefull to know the kind of icmp unreachable we eventually got in
response.
Fyodor said it was easy to add this feature to nmap so there it is. (it
may be ugly as i didn't nmap sources very well ...).
# ./nmap -sS pouet -p 3
Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
Interesting ports on pouet (1.2.3.4):
Port State Service
3/tcp unr. (code 1) compressnet
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
It doesn't work for none root port scans types as the "only" way to know
we got an icmp is to view it with a pcap. In fact, i made it "works" with
linux and connect scan, quoting an old fyodor's paper:
"While non-root users can't read port unreachable errors directly, Linux
is cool enough to inform the user indirectly when they have been received."
I became totally mad with my BSD before reading this two lines ...
By the way, I have a question : why the lamer udp scan is gone ?
To conclude this mail, i want to start a talk about the utility to
fingerprints system with these icmp unreachable (if we got them, let's
use them, it can't kill us), i worked a little on this topic and i still
think it can "easily" be done.
@+
--
mailto:guillaume_at_valadon.net
ICQ uin : 1752110
Page ouebe : http://guillaume.valadon.net
"Everybody be cool. You be cool" - Seth Gecko
---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
Received on Oct 24 2001
Intro
