Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Nmap says Host down when actually host is up.
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Fri, 26 Oct 2007 07:10:33 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 26 Oct 2007 08:46:55 +0200 plus or minus some time kx
<kxmail () gmail com> wrote:

I can't say for ICMP, but I have definitely written a generic UDP
server on a Solaris box before that had multiple IP addresses, that
was listening on all IPs, and when the server would reply to a UDP
packet, the kernel behavior would be to reply from the IP addresses on
the Solaris box that was closest to the source, not necessarily from
the IP address it received the packet on.

Now, in this case it made sense, I would send a packet from a subnet
connected to the Solaris box, but I would send it to the IP address
not on the subnet. The response would come back from the IP address on
my subnet.

Example

Solaris has IP 10.10.1.5 and 10.10.100.5
I am IP 10.10.1.6

10.10.1.6 -- UDP --> 10.10.100.5
10.10.1.6 <-- UDP -- 10.10.1.5

Not as clear as is what is going on below, and as Kris stated, it
shouldn't happen with ICMP, but just throwing it out for
consideration.

Cheers,
  kx


+1 on strange things with ICMP.  The UDP socket code I've been writing
lately has seen some of strangest ICMP messages back.  Between all the
different OS, firewalls, NATs, and other strange network devices out there,
you're going to see some crazy ICMP packets.

I haven't given it more than 2 seconds of thought, but we could try
something TCP SYNCOOKIE inspired for our ICMP ECHO requests.

Say we stuffed some useful data in the payload like:

<64 bit timestamp><32 bit salt><32 bit target IP XOR 32 bit salt><32 bit
checksum (CRC?)>

Then when we receive an ICMP ECHO REPLY from a host we don't know about, we
check the payload. If:

* The time is within some reasonable range
* The salt matches the salt being used by the nmap process
* The XOR of the salt and jumbled IP field match an IP we're probing
* The checksum computes

Then we accept the echo reply as valid even though something is slightly
broken.

Or maybe I'm missing something this is a terrible idea?

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHIZLpqaGPzAsl94IRArIWAKCARuVnI7W4uPLs2J278yA1crZtAACfQFcR
j2dtWK5/D1I9zGvFa/AEhqE=
=2TzD
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault