Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Nmap Development: Re: nmap sending encapsulated packets

Re: nmap sending encapsulated packets

From: David Fifield <david_at_bamsoftware.com>
Date: Wed, 2 Apr 2008 18:51:24 -0600

On Wed, Apr 02, 2008 at 06:51:28PM -0500, Kris Katterjohn wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mike Lude wrote:
> > Now with almost any scan I do (for example,
> > nmap -T Aggressive -O -v 192.168.155.22)
> > it says that it can't find the host, and when I add the suggested -PN
> > parameter it lists all ports as filtered, even though I have a
> > perfectly accessible webserver running on the host to be scanned.
> >
> > So, I break out wireshark to see what's going on, and trace what nmap
> > is sending and what I am receiving at the host. Every single outgoing
> > packet is encapsulated, with a protocol of 0xFF. Here's a hex dump of
> > the first packet sent:
> >
> > 0000 9c f4 20 00 03 00 03 00 03 00 00 00 08 00 45 00
> > 0010 00 3c 94 91 00 00 80 ff ed 8c c0 a8 9b 3d c0 a8
> > 0020 9b 16 45 00 00 28 71 62 00 00 2c 06 65 c9 c0 a8
> > 0030 9b 3d c0 a8 9b 16 d3 0d 00 50 79 f3 1a 0a 00 00
> > 0040 42 ba 50 10 04 00 4a 1a 00 00
> >
> > This matches exactly with what I see on the host being scanned.
> >
>
> Hmm.. I don't know; hopefully somebody else on this list can say
> something definitive.
>
> Not just an unrecognized protocol, but if I'm not mistaken protocol 0xFF
> should never actually be sent over a network. I think the old hack
> (1980's) for sending raw IP packets w/headers involved patching the
> kernel and setting the socket() protocol field to 0xFF since it should
> never be used for anything.

Wow, Kris, thanks for refreshing my memory. I've seen this before. I see
it when I use --send-ip on Windows. Mike, are you using that option?
Nmap prints a warning in that case. If you're not, it seems Nmap is
acting as if you are, and we need to check it out.

255 is the numerical value of IPPROTO_RAW, which is usually a special
code that means to create a raw socket. I guess when Microsoft disabled
raw sockets they just stopped giving this code its magical meaning, so
it's interpreted literally as 255.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Apr 02 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]