Nmap Development: Re: what did I miss this time?

[Kris Katterjohn <kjak () ispwest com>]

Omar Herrera wrote:
> Nmap's ping is distinguishable from other tools. It sends an ICMP Echo
> Request package with no data.
>
> Here are 2 examples of 2 captured ICMP packets with Wireshark. The first is
> from a Windows ping and the second is from nmap 4.11 (Windows version, but
> it has the same behaviour in Linux as far as I know):
>
> ---
> No.     Time     Source                Destination           Protocol Info
>    1 16:42:59 sss.sss.sss.sss        ddd.ddd.ddd.ddd          ICMP     Echo
> (ping) request
> Frame 1 (74 bytes on wire, 74 bytes captured)
> Ethernet II, Src: Actionte_52:3b:21 (00:0f:b3:52:3b:21), Dst:
> NICBrand_xx:xx:xx (xx:xx:xx:xx:xx:xx)
> Internet Protocol, Src: sss.sss.sss.sss (sss.sss.sss.sss), Dst:
> ddd.ddd.ddd.ddd (ddd.ddd.ddd.ddd)
> Internet Control Message Protocol
>     Type: 8 (Echo (ping) request)
>     Code: 0 
>     Checksum: 0x425c [correct]
>     Identifier: 0x0500
>     Sequence number: 0x0600
>     Data (32 bytes)
> 0000  61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70   abcdefghijklmnop
> 0010  71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69   qrstuvwabcdefghi
>
>
> No.     Time     Source                Destination           Protocol Info
>    2 16:43:14 sss.sss.sss.sss        ddd.ddd.ddd.ddd          ICMP     Echo
> (ping) request
> Frame 2 (42 bytes on wire, 42 bytes captured)
> Ethernet II, Src: Actionte_52:3b:21 (00:0f:b3:52:3b:21), Dst:
> NICBrand_xx:xx:xx (xx:xx:xx:xx:xx:xx)
> Internet Protocol, Src: sss.sss.sss.sss (sss.sss.sss.sss), Dst:
> ddd.ddd.ddd.ddd (ddd.ddd.ddd.ddd)
> Internet Control Message Protocol
>     Type: 8 (Echo (ping) request)
>     Code: 0 
>     Checksum: 0xa564 [correct]
>     Identifier: 0xcb78
>     Sequence number: 0x8722
> ---
>
> This has been known for a long time. There are also snort rules to block
> nmap's ping:
>
> For example (reference:
> http://www.iu.hio.no/teaching/materials/MS004A/index.phtml?show=P90.en&week=
> 11): 
>
> drop icmp $HONEYNET any -> $EXTERNAL_NET any (msg:"ICMP PING NMAP"; dsize:
> 0; itype: 8; reference:arachnids,162; classty
> pe:attempted-recon; sid:469; rev:1;)
>
> Regards,
>
> Omar Herrera
>
> > -----Original Message-----
> > From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org]
> >
> > I finally got a chance to test this with FreeBSD (nmap 4.01)
> >
> > and guess what, it doesn't work for this one host. Regular ping works.
> >
> > so I am forced to assume this host is able to differentiate between a
> > normal ping and an nmap echo request ping. Is this possible ??
> >
> > thanks.
Just glancing at the code I noticed that nmap sent it with no data, but
I wasn't sure enough about that being the reason to say it. Thanks for
the overview.

Kris Katterjohn

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org