Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Re: Excessive traffic in -PS/PA/PU ping scans

Re: Excessive traffic in -PS/PA/PU ping scans

From: Eddie Bell <ejlbell_at_gmail.com>
Date: Tue, 20 Mar 2007 18:50:11 +0000

Hi peter,

I think you want the command

sudo nmap -sP -PS443 192.168.1.1

Running with just -PS will perform a default scan but with a syn ping
instead. I think you want a ping scan with out the port scan.

thanks
 - eddie

On 20/03/07, cybernmd <cybernmd_at_gmail.com> wrote:
> I have noticed the following when performing SYN, ACK, and UDP pings:
>
> 1) When running SYN/ACK/UDP pings as privileged user target ports are
> completely ignored using notation suggested in the manual
> (-PS80,443,666). nmap proceeds to scan every standard port
> on the target system instead of just the ones specified (this generates
> a lot of excessive traffic). At the same time I could get nmap to scan
> just those ports by using -p80,443,666 appended to the command line.
> Other than that all scans are performed just fine.
>
> 2) The suggested notation (-PS80,443,666) does work when nmap is
> executed from a non-privileged account, but I must still provide -p
> argument with ports that will be appended to those specified in -PS
> argument or else nmap starts scanning all standard ports on the target.
>
> I have confirmed this behavior with nmap 4.21ALPHA3 running on Ubuntu
> 6.10 and nmap 4.11 running on FreeBSD 6.2 for both local and external
> targets.
>
> Below are nmap commands I have used and partial traffic dump from scans:
>
> Using suggested notation in the manual
> ======================================
>
> Command:
> sudo nmap -PS443 192.168.1.1
>
> Traffic Generated:
> 0.093081 192.168.1.100 -> 192.168.1.1 TCP 56854 > rtsp [SYN] Seq=0
> Len=0 MSS=1460
> 0.093098 192.168.1.100 -> 192.168.1.1 TCP 56854 > domain [SYN] Seq=0
> Len=0 MSS=1460
> 0.093114 192.168.1.100 -> 192.168.1.1 TCP 56854 > ldaps [SYN] Seq=0
> Len=0 MSS=1460
> 0.093129 192.168.1.100 -> 192.168.1.1 TCP 56854 > 1723 [SYN] Seq=0
> Len=0 MSS=1460
> 0.093143 192.168.1.100 -> 192.168.1.1 TCP 56854 > ftp [SYN] Seq=0
> Len=0 MSS=1460
> 0.093157 192.168.1.100 -> 192.168.1.1 TCP 56854 > www [SYN] Seq=0
> Len=0 MSS=1460
> 0.093171 192.168.1.100 -> 192.168.1.1 TCP 56854 > 256 [SYN] Seq=0
> Len=0 MSS=1460
> 0.093185 192.168.1.100 -> 192.168.1.1 TCP 56854 > ssh [SYN] Seq=0
> Len=0 MSS=1460
> 0.093199 192.168.1.100 -> 192.168.1.1 TCP 56854 > 3389 [SYN] Seq=0
> Len=0 MSS=1460
> 0.093213 192.168.1.100 -> 192.168.1.1 TCP 56854 > telnet [SYN] Seq=0
> Len=0 MSS=1460
> ...
> proceeds to scan all standard ports on target 192.168.1.1 =(
>
> Using -p to specify ports instead
> =================================
>
> Command:
> sudo nmap -PS666 192.168.1.1 -p443
>
> Traffic Generated:
> 213.457235 192.168.1.100 -> 192.168.1.1 TCP 62666 > https [SYN] Seq=0
> Len=0 MSS=1460
> 213.457694 192.168.1.1 -> 192.168.1.100 TCP https > 62666 [SYN, ACK]
> Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
> 213.457714 192.168.1.100 -> 192.168.1.1 TCP 62666 > https [RST] Seq=1
> Len=0
>
> performs precisely what i wanted in the first place SYN ping on port
> 443, note that port 666 was completely ignored
>
> Using suggested notation in the manual with non-privileged account
> ==================================================================
> Command:
> nmap -PS443 192.168.1.1 -n
>
> Traffic Generated:
> 9.169700 192.168.1.100 -> 192.168.1.1 TCP 46883 > https [SYN] Seq=0
> Len=0 MSS=1460 TSV=25235354 TSER=0 WS=2
> 9.170185 192.168.1.1 -> 192.168.1.100 TCP https > 46883 [SYN, ACK]
> Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=10003443 TSER=25235354 WS=0
> 9.170208 192.168.1.100 -> 192.168.1.1 TCP 46883 > https [ACK] Seq=1
> Ack=1 Win=5840 Len=0 TSV=25235354 TSER=10003443
> 9.170810 192.168.1.100 -> 192.168.1.1 TCP 46883 > https [RST, ACK]
> Seq=1 Ack=1 Win=5840 Len=0 TSV=25235354 TSER=10003443
> 9.269808 192.168.1.100 -> 192.168.1.1 TCP 46884 > https [SYN] Seq=0
> Len=0 MSS=1460 TSV=25235379 TSER=0 WS=2
> 9.270289 192.168.1.1 -> 192.168.1.100 TCP https > 46884 [SYN, ACK]
> Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=10003453 TSER=25235379 WS=0
> 9.270311 192.168.1.100 -> 192.168.1.1 TCP 46884 > https [ACK] Seq=1
> Ack=1 Win=5840 Len=0 TSV=25235379 TSER=10003453
> 9.270498 192.168.1.100 -> 192.168.1.1 TCP 56401 > ldaps [SYN] Seq=0
> Len=0 MSS=1460 TSV=25235379 TSER=0 WS=2
> 9.270950 192.168.1.100 -> 192.168.1.1 TCP 37141 > www [SYN] Seq=0
> Len=0 MSS=1460 TSV=25235379 TSER=0 WS=2
> 9.271164 192.168.1.1 -> 192.168.1.100 TCP ldaps > 56401 [RST, ACK]
> Seq=0 Ack=1 Win=0 Len=0
> 9.271391 192.168.1.100 -> 192.168.1.1 TCP 33586 > ssh [SYN] Seq=0
> Len=0 MSS=1460 TSV=25235379 TSER=0 WS=2
> 9.271612 192.168.1.1 -> 192.168.1.100 TCP www > 37141 [RST, ACK]
> Seq=0 Ack=1 Win=0 Len=0
> ...
>
> Starts out just as expected by connect()-ing to https port, but later
> starts scanning all standard ports on the target host =(
>
> Using -p to specify ports with unprivileged account
> ===================================================
> Command:
> nmap -PS666 192.168.1.1 -p443 -n
>
> Traffic Generated:
> 0.000000 192.168.1.100 -> 192.168.1.1 TCP 42469 > 666 [SYN] Seq=0
> Len=0 MSS=1460 TSV=25287184 TSER=0 WS=2
> 0.000421 192.168.1.1 -> 192.168.1.100 TCP 666 > 42469 [RST, ACK]
> Seq=0 Ack=1 Win=0 Len=0
> 0.100061 192.168.1.100 -> 192.168.1.1 TCP 46975 > https [SYN] Seq=0
> Len=0 MSS=1460 TSV=25287209 TSER=0 WS=2
> 0.100552 192.168.1.1 -> 192.168.1.100 TCP https > 46975 [SYN, ACK]
> Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=10024180 TSER=25287209 WS=0
> 0.100575 192.168.1.100 -> 192.168.1.1 TCP 46975 > https [ACK] Seq=1
> Ack=1 Win=5840 Len=0 TSV=25287210 TSER=10024180
> 0.100923 192.168.1.100 -> 192.168.1.1 TCP 46975 > https [RST, ACK]
> Seq=1 Ack=1 Win=5840 Len=0 TSV=25287210 TSER=10024180
>
> First scans port 666 specified in -PS argument and later connect()-s to
> port 443.
>
> I am not sure if this is an expected behavior but it seems that when our
> only goal is to find out whether the host is up it is not necessary
> to scan all ports and generate all the noise.
>
> Sincerely, Peter
>
> p.s. thanks for the great tool, looking forward to the final version of
> the scripting engine =)
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org
>

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Mar 20 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]