Nmap Development: Re: nmap sending encapsulated packets

["Mike Lude" <mlude () pacbell net>]

David--

Actually, I just fired up zenmap and took one of its canned scans 
("operating system detection"), but just about everything I try ends 
up sending these encapsulated packets. I don't think that it's 
anything special that I'm doing.

Let me know if I can help debug things.

/Mike

On 2 Apr 2008 at 18:51, David Fifield wrote:

Date sent:              Wed, 2 Apr 2008 18:51:24 -0600
From:                   David Fifield <david () bamsoftware com>
To:                     nmap-dev () insecure org
Subject:                Re: nmap sending encapsulated packets

> On Wed, Apr 02, 2008 at 06:51:28PM -0500, Kris Katterjohn wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Mike Lude wrote:
> > > Now with almost any scan I do (for example, 
> > > nmap -T Aggressive -O -v 192.168.155.22) 
> > > it says that it can't find the host, and when I add the suggested
> > > -PN parameter it lists all ports as filtered, even though I have a
> > > perfectly accessible webserver running on the host to be scanned.
> > >
> > > So, I break out wireshark to see what's going on, and trace what
> > > nmap is sending and what I am receiving at the host. Every single
> > > outgoing packet is encapsulated, with a protocol of 0xFF. Here's a
> > > hex dump of the first packet sent:
> > >
> > > 0000  9c f4 20 00 03 00 03 00  03 00 00 00 08 00 45 00   
> > > 0010  00 3c 94 91 00 00 80 ff  ed 8c c0 a8 9b 3d c0 a8   
> > > 0020  9b 16 45 00 00 28 71 62  00 00 2c 06 65 c9 c0 a8   
> > > 0030  9b 3d c0 a8 9b 16 d3 0d  00 50 79 f3 1a 0a 00 00   
> > > 0040  42 ba 50 10 04 00 4a 1a  00 00                     
> > >
> > > This matches exactly with what I see on the host being scanned.
> > Hmm.. I don't know; hopefully somebody else on this list can say
> > something definitive.
> >
> > Not just an unrecognized protocol, but if I'm not mistaken protocol
> > 0xFF should never actually be sent over a network.  I think the old
> > hack (1980's) for sending raw IP packets w/headers involved patching
> > the kernel and setting the socket() protocol field to 0xFF since it
> > should never be used for anything.
> Wow, Kris, thanks for refreshing my memory. I've seen this before. I
> see it when I use --send-ip on Windows. Mike, are you using that
> option? Nmap prints a warning in that case. If you're not, it seems
> Nmap is acting as if you are, and we need to check it out.
>
> 255 is the numerical value of IPPROTO_RAW, which is usually a special
> code that means to create a raw socket. I guess when Microsoft
> disabled raw sockets they just stopped giving this code its magical
> meaning, so it's interpreted literally as 255.
>
> David Fifield
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org