Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Nmap Development: nmap 3.30 on win32 sending naughty packets to Defense Intelligence Agency

nmap 3.30 on win32 sending naughty packets to Defense Intelligence Agency

From: Tom H <tom_at_scriptsupport.co.uk>
Date: Wed, 30 Jul 2003 23:59:17 +0100

Hi,

I was watching an ethereal trace of the win32 command line nmap v3.30, while I was scanning a
local network for open rpc ports using the following command
C:\>nmap -v -p 135 10.0.0.1/24
and noticed that during the scan, nmap sends 2 packets with a destination address
of 11.0.0.3, and that these packets are echo replies. The first is sent almost immediately
and then next after approximately 12 seconds later.
A whois lookup shows that the netblock is owned by Defense Intelligence Agency,
Washington, DC. Which is interesting, to say the least.

I tested this on a linux box, and the same packets were not observed, so this seems to be
a win32 version issue. I also repeated this experiment a number of times on windows 2000
hosts and noticed the same packets produced.

so what's going on there then? I've included the information about the packet and the
whois result below.

Cheers

T

DUMP FROM FIREWALL OF THE PACKET INFORMATION

File Version : 5.00.2195.6717
File Description : NT Kernel & System
File Path : C:\WINNT\system32\ntoskrnl.exe
Process ID : 8 (Heximal) 8 (Decimal)

Connection origin : local initiated
Protocol : ICMP
Local Address : 10.0.0.3
ICMP Type : 0 (Echo Reply)
ICMP Code : 0
Remote Name :
Remote Address : 11.0.0.3

Ethernet packet details:
Ethernet II (Packet Length: 42)
        Destination: 00-90-d0-85-97-22
        Source: 00-01-02-dc-8b-3e
Type: IP (0x0800)
Internet Protocol
        Version: 4
        Header Length: 20 bytes
        Flags:
                .0.. = Don't fragment: Not set
                ..0. = More fragments: Not set
        Fragment offset:0
        Time to live: 128
        Protocol: 0x1 (ICMP - Internet Control Message Protocol)
        Header checksum: 0x8c23 (Correct)
        Source: 10.0.0.3
        Destination: 11.0.0.3
Internet Control Message Protocol
        Type: 0 (Echo Reply)
        Code: 0
        Data (4 bytes)

Binary dump of the packet:
0000: 00 90 D0 85 97 22 00 01 : 02 DC 8B 3E 08 00 45 00 | .....".....>..E.
0010: 00 1C 02 50 00 00 80 01 : 23 8C 0A 00 00 03 0B 00 | ...P....#.......
0020: 00 03 00 00 08 3F CB 6C : 2C 54 | .....?.l,T

WHOIS LOOKUP OF THE IP ADDRESS

$whois 11.0.0.3

DoD Intel Information Systems (NET-DODIIS)
   Defense Intelligence Agency
   Washington, DC 20301
   US

   Netname: DODIIS
   Netblock: 11.0.0.0 - 11.255.255.255
   Maintainer: DNIC

   Coordinator:
      DoD, Network (MIL-HSTMST-ARIN) HOSTMASTER_at_nic.mil
      (703) 676-1051 (800) 365-3642 (FAX) (703) 676-1749

   Record last updated on 26-Sep-1998.
   Database last updated on 23-Aug-2002 16:56:03 EDT.
The information in this WHOIS database is current as of August 23, 2002,
and has been retained for historical purposes only. For the most current
information, query whois.arin.net or visit http://whois.arin.net.

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
Received on Jul 30 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]