Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Nmap Development: Re: nmap crashes my appliance

Re: nmap crashes my appliance

From: Hans Nilsson <hasse_gg_at_ftml.net>
Date: Tue, 12 Dec 2006 13:59:53 -1100

Maybe you could try scanning the ports consecutively (-r) and looking at
exactly when the crash occurs? Or have you determined that? You could
also try slowing down the scan.

On Tue, 12 Dec 2006 22:07:58 +0000, "DePriest, Jason R."
<jrdepriest_at_gmail.com> said:
> On 12/11/06, Hans Nilsson wrote:
> > Well you could try deterimining why it crashes. Does it only crash when
> > scanning above port 34322 for example? And then customize your scan to
> > that.
>
> This is a Symantec Firewall/VPN 200 running firmware V1 Rel 8F.
>
> The ports that are open on the LAN side are 80, 8088, and 34952.
>
> With default logging enabled, the firewall logs a 'SYN Floods
> attack!!!' for each of the three open ports when nmap scans them.
>
> no crash: nmap -sS -p- 192.168.235.1
> no crash: nmap -sSV -p- 192.168.235.1
>
> crash: nmap -sSV -O -p- 192.168.235.1
> WARNING: RST from 192.168.1.235.1 port 80 -- is this port really open?
> WARNING: RST from port 80 -- is this port really open?
>
> crash: nmap -sSV -O -p1-79,81-65535 192.168.235.1
> WARNING: RST from 192.168.235.1 port 8088 -- is this port really open?
>
> So it's OS detection causing me grief.
>
> crash: nmap -sSV -O1 -p- 192.168.235.1
> no specific warnings or errors
>
> crash: nmap -sSV -O2 -p- 192.168.231.1
> WARNING: RST from 192.168.235.1 port 80 -- is this port really open?
>
> How does nmap respond if, while performing OS detection, the target
> becomes unresponsive? Does it continue to hammer it or does it stop
> and use what it already has?
>
> I have tried running it debugging on, but it still finishes so fast
> that I cannot tell which check was running when the firewall drops
> off. The hardware is still up, you just can no longer connect to it
> or connect through it.
>
> If nmap stops running checks when the device fails, then I can figure
> out which check it was, otherwise, I suppose I would need to
> understand which checks generate what sort of traffic and see what the
> responses are.
>
> For the sake of argument, would the output of
> nmap -sSV -O -d --packet-trace -p80,8088,34952 192.168.235.1
> be useful.
> I'd want to restrict the ports to the ones that I know are open to
> keep the logfile from being too big.
>
> -Jason
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org 

-- 
  Hans Nilsson
  hasse_gg_at_ftml.net
-- 
http://www.fastmail.fm - The professional email service
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Dec 12 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]