Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Nmap and windows pptp-connection

Nmap and windows pptp-connection

From: <jammer_at_gmx.ch>
Date: Sat, 7 Jan 2006 03:07:00 +0300

Hello all!

I've noticed some strange behaviuor...

OS: windows server 2003 SP1
Internet connection works through ms vpn (pptp), and I think no problem at
my ISP.
Ethereal and so on works fine, so there is no (really no?) problem in
winpcap driver.
Here is a dump of test scan of scanme.insecure.org, look at ip protocol
number of generated packets...

***from nmap***

C:\temp\nmap-3.96BETA1-win32>nmap --mtu 1200 -sS -PE -vv -d9 -e ppp1
scanme.insecure.org
***WinIP*** trying to initialize winpcap 2.1
Winpcap present, dynamic linked to: WinPcap version 3.1 (packet.dll version
3, 1, 0, 27), based on libpcap version
0.9[.x]
Warning: Packet fragmentation selected on a host other than Linux, OpenBSD,
FreeBSD, or NetBSD. This may or may no
t work.

Starting Nmap 3.96BETA1 ( http://www.insecure.org/nmap ) at 2006-01-07 02:48
Warning: File ./nmap-services exists, but Nmap is using
C:\temp\nmap-3.96BETA1-win32/nmap-services for security and
 consistency reasons. set NMAPDIR=. to give priority to files in your local
directory (may affect the other data f
iles too).
Fetchfile found C:\temp\nmap-3.96BETA1-win32/nmap-services

The max # of sockets we are using is: 0
WARNING: Unable to find appropriate interface for system route to 10.10.0.1

Packet capture filter (device ppp1): (icmp and dst host xxx.xxx.xxx.xxx) or
((tcp or udp) and dst host xxx.xxx.xxx.xxx
 and ( dst port 61383 or dst port 61384 or dst port 61385 or dst port 61386
or dst port 61387))
SENT (1.0780s) ICMP xxx.xxx.xxx.xxx > 205.217.153.62 Echo request
(type=8/code=0) ttl=37 id=4787 iplen=28
SENT (3.0780s) ICMP xxx.xxx.xxx.xxx > 205.217.153.62 Echo request
(type=8/code=0) ttl=55 id=666 iplen=28
Finished block: srtt: -1 rttvar: -1 timeout: 1000000 block_tries: 2
up_this_block: 0 down_this_block: 0 group_sz: 1

massping done: num_hosts: 1 num_responses: 0
Note: Host seems down. If it is really up, but blocking our ping probes, try
-P0
Nmap finished: 1 IP address (0 hosts up) scanned in 5.094 seconds
               Raw packets sent: 2 (56B) | Rcvd: 0 (0B)

C:\temp\nmap-3.96BETA1-win32>

***from nmap***

And at the same time a dump from windump 3.9.3:

***from windump***

C:\Windump 3.9.3>WinDump.exe -i \Device\NPF_{940CFF39-869E-48EB-A
D44-13C53BF924E4} -n -vv host scanme.insecure.org
WinDump.exe: listening on \Device\NPF_{940CFF39-869E-48EB-AD44-13C53BF924E4}
02:48:52.350421 IP (tos 0x0, ttl 128, id 24054, offset 0, flags [none],
proto: unknown (255), length: 48
) xxx.xxx.xxx.xxx > 205.217.153.62: ip-proto-255 28
02:48:54.351398 IP (tos 0x0, ttl 128, id 24186, offset 0, flags [none],
proto: unknown (255), length: 48
) xxx.xxx.xxx.xxx > 205.217.153.62: ip-proto-255 28

2 packets captured
887 packets received by filter
0 packets dropped by kernel

C:\Windump 3.9.3>

***from windump***

You see ip-proto 255 from windump instead of nmaps type 8? And the same way
with -PS80, or just -sS. Nmap under windows sends ip proto 255 instead of
something intelligible.

And how to repair this?

Best regards,
jammer

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Received on Jan 06 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos