Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Nmap Development: Re: [Exp PATCH] Call port closed in any protocol with ICMP Port Unreach

Re: [Exp PATCH] Call port closed in any protocol with ICMP Port Unreach

From: Kris Katterjohn <katterjohn_at_gmail.com>
Date: Sun, 04 Feb 2007 19:53:13 -0600

Fyodor wrote:
> On Sun, Feb 04, 2007 at 06:36:42PM -0600, Kris Katterjohn wrote:
>> The attached patch (/nmap-exp/kris SVN r4472) makes it so that if we get
>> an ICMP Port Unreachable from the target host involving any protocol
>> that we call the port closed. The SVN log:
>
> Hi Kris. Despite what the RFCs say, I think that when we receive an
> ICMP port unreachable message in response to a TCP query, that ICMP
> unreachable packet was generally sent by a firewall or other filtering
> device as opposed to the end host. But I could be wrong. Have you
> found any target IPs which respond in this fashion? If so, I think it
> is worth investigating whether the packets are produced by firewall
> software (either running on the destination host, or in front of it),
> or if the destination host sends these responses rather than a RST for
> some reason. If you haven't seen this happen, then I think we should
> hold off on making any such changes to /nmap until we have some
> empirical data.
>
> Cheers,
> Fyodor
>

Does this not test to see if this packet is coming from the host and not
a separate device?

/* ensure this packet relates to a packet to the host
   we are scanning ... */
memset(&sin, 0, sizeof(sin));
sin.sin_addr.s_addr = ip2->ip_dst.s_addr;
sin.sin_family = AF_INET;
hss = USI->findIncompleteHost((struct sockaddr_storage *) &sin);
if (!hss) continue; // Not from a host that interests us

...

if (hss->target->v4hostip()->s_addr == ip->ip_src.s_addr)

hss is filled from ip2->ip_dst.s_addr, which is where we were sending
the original packet. If it's tested against the source IP of the outer
header, we see if it's from where we sent it as opposed to a another
box. Or am I wrong about that part?

Regardless, I have *not* seen this actually happen. I was reading the
RFC 1122 and found that part to be interesting. I skimmed over Nmap's
code and thought it could be added.

So whatever you think is best :)

Thanks,
Kris Katterjohn

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Received on Feb 04 2007
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]