Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Nmap Development: Re: nmap sending encapsulated packets

Re: nmap sending encapsulated packets

From: Mike Lude <mlude_at_pacbell.net>
Date: Wed, 02 Apr 2008 18:52:25 -0700

David--

Actually, I just fired up zenmap and took one of its canned scans
("operating system detection"), but just about everything I try ends
up sending these encapsulated packets. I don't think that it's
anything special that I'm doing.

Let me know if I can help debug things.

/Mike

On 2 Apr 2008 at 18:51, David Fifield wrote:

Date sent: Wed, 2 Apr 2008 18:51:24 -0600
From: David Fifield <david_at_bamsoftware.com>
To: nmap-dev_at_insecure.org
Subject: Re: nmap sending encapsulated packets

> On Wed, Apr 02, 2008 at 06:51:28PM -0500, Kris Katterjohn wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Mike Lude wrote:
> > > Now with almost any scan I do (for example,
> > > nmap -T Aggressive -O -v 192.168.155.22)
> > > it says that it can't find the host, and when I add the suggested
> > > -PN parameter it lists all ports as filtered, even though I have a
> > > perfectly accessible webserver running on the host to be scanned.
> > >
> > > So, I break out wireshark to see what's going on, and trace what
> > > nmap is sending and what I am receiving at the host. Every single
> > > outgoing packet is encapsulated, with a protocol of 0xFF. Here's a
> > > hex dump of the first packet sent:
> > >
> > > 0000 9c f4 20 00 03 00 03 00 03 00 00 00 08 00 45 00
> > > 0010 00 3c 94 91 00 00 80 ff ed 8c c0 a8 9b 3d c0 a8
> > > 0020 9b 16 45 00 00 28 71 62 00 00 2c 06 65 c9 c0 a8
> > > 0030 9b 3d c0 a8 9b 16 d3 0d 00 50 79 f3 1a 0a 00 00
> > > 0040 42 ba 50 10 04 00 4a 1a 00 00
> > >
> > > This matches exactly with what I see on the host being scanned.
> > >
> >
> > Hmm.. I don't know; hopefully somebody else on this list can say
> > something definitive.
> >
> > Not just an unrecognized protocol, but if I'm not mistaken protocol
> > 0xFF should never actually be sent over a network. I think the old
> > hack (1980's) for sending raw IP packets w/headers involved patching
> > the kernel and setting the socket() protocol field to 0xFF since it
> > should never be used for anything.
>
> Wow, Kris, thanks for refreshing my memory. I've seen this before. I
> see it when I use --send-ip on Windows. Mike, are you using that
> option? Nmap prints a warning in that case. If you're not, it seems
> Nmap is acting as if you are, and we need to check it out.
>
> 255 is the numerical value of IPPROTO_RAW, which is usually a special
> code that means to create a raw socket. I guess when Microsoft
> disabled raw sockets they just stopped giving this code its magical
> meaning, so it's interpreted literally as 255.
>
> David Fifield
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Apr 02 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]