Nmap Development: Patch: better selection of traceroute probes

Nmap Security Scanner
- Intro
- Ref Guide
- Install Guide
- Download
- Changelog
- Book
- Docs
Security Lists
- Nmap Hackers
- Nmap Dev
- Bugtraq
- Full Disclosure
- Pen Test
- Basics
- More
Security Tools
Site News
Advertising
About/Contact
Sponsors:

Nmap Development mailing list archives

Patch: better selection of traceroute probes

From: David Fifield <david () bamsoftware com>
Date: Fri, 5 Sep 2008 18:09:48 -0600

Hi,

In http://seclists.org/nmap-dev/2008/q3/0539.html I observed that Nmap's
traceroute doesn't work like it should for ping scans. Instead of using
the ping probe that got a response as the traceroute probe, it just
picks an arbitrary one of the ping probes that were used. So for example
if you ran

        nmap -sP -PE -PS22 --traceroute google.com

the traceroute would fail after a long time (about 100 seconds for me)
with "! maximum TTL reached (50)". Traceroute just picked the SYN probe
to port 22, even though that doesn't get a response and the ping probe
does.

I attached a patch to fix this. It makes traceroute use whatever probe
was used as a timing ping during host discovery and port scanning. The
timing probe promotes itself: whenever a response is received to a
"better" probe than the current timing probe, the better probe becomes
the new timing probe. So the timing probe is the best probe Nmap knows
of to reach a given target. The caching and promotion of timing probes
is summarized at http://seclists.org/nmap-dev/2008/q3/0647.html.

I decided to use the cached timing probe for all traceroute types, not
just ping scans. That's why I'm posting the patch to the list, because
it's a bigger change than it would have been and I think it deserves a
little testing. A bonus is that this change allows the elimination of a
lot code from traceroute.cc. Now the complexity of port selection is
isolated in scan_engine.cc.

Incidentally, combining ping scan with traceroute is a great way to try
out the new Zenmap topology visualization. Try the "Quick traceroute"
profile and run it against a bunch of scattered Internet hosts. You
don't even have to list all the targets in advance. Just run one scan
after another in the same window and all the results will be combined
together.

David Fifield

Attachment: traceroute-probe-selection.diff
Description:


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

By Date By Thread

Current thread:

Patch: better selection of traceroute probes David Fifield (Sep 06)
- Re: Patch: better selection of traceroute probes David Fifield (Sep 06)