Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Nmap Development: Re: Nmap says Host down when actually host is up.

Re: Nmap says Host down when actually host is up.

From: Brandon Enright <bmenrigh_at_ucsd.edu>
Date: Fri, 26 Oct 2007 07:10:33 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 26 Oct 2007 08:46:55 +0200 plus or minus some time kx
<kxmail_at_gmail.com> wrote:

> I can't say for ICMP, but I have definitely written a generic UDP
> server on a Solaris box before that had multiple IP addresses, that
> was listening on all IPs, and when the server would reply to a UDP
> packet, the kernel behavior would be to reply from the IP addresses on
> the Solaris box that was closest to the source, not necessarily from
> the IP address it received the packet on.
>
> Now, in this case it made sense, I would send a packet from a subnet
> connected to the Solaris box, but I would send it to the IP address
> not on the subnet. The response would come back from the IP address on
> my subnet.
>
> Example
>
> Solaris has IP 10.10.1.5 and 10.10.100.5
> I am IP 10.10.1.6
>
> 10.10.1.6 -- UDP --> 10.10.100.5
> 10.10.1.6 <-- UDP -- 10.10.1.5
>
> Not as clear as is what is going on below, and as Kris stated, it
> shouldn't happen with ICMP, but just throwing it out for
> consideration.
>
> Cheers,
> kx
>

+1 on strange things with ICMP. The UDP socket code I've been writing
lately has seen some of strangest ICMP messages back. Between all the
different OS, firewalls, NATs, and other strange network devices out there,
you're going to see some crazy ICMP packets.

I haven't given it more than 2 seconds of thought, but we could try
something TCP SYNCOOKIE inspired for our ICMP ECHO requests.

Say we stuffed some useful data in the payload like:

<64 bit timestamp><32 bit salt><32 bit target IP XOR 32 bit salt><32 bit
checksum (CRC?)>

Then when we receive an ICMP ECHO REPLY from a host we don't know about, we
check the payload. If:

* The time is within some reasonable range
* The salt matches the salt being used by the nmap process
* The XOR of the salt and jumbled IP field match an IP we're probing
* The checksum computes

Then we accept the echo reply as valid even though something is slightly
broken.

Or maybe I'm missing something this is a terrible idea?

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHIZLpqaGPzAsl94IRArIWAKCARuVnI7W4uPLs2J278yA1crZtAACfQFcR
j2dtWK5/D1I9zGvFa/AEhqE=
=2TzD
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Oct 26 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]