Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: U1 probe RUD test question
From: David Fifield <david () bamsoftware com>
Date: Thu, 2 Apr 2009 20:13:12 -0600

On Thu, Apr 02, 2009 at 05:29:51PM -0600, David Fifield wrote:
On Thu, Apr 02, 2009 at 02:52:42PM -0400, Thomas Tavaris J (Tavaris) wrote:
I'm still looking at the quality of the tests that nmap sends and I have
a question regarding the U1,RUD test. Why is this test producing a G
value when wireshark, tshark, and tcpdump data shows no UDP data  (from
the probe) is contained in the encapsulated ICMP port unreachable
packet? This is especially prevalent when scanning Cisco routers. The
nmap-os-db file says Cisco IOS should report G for the RUD test. From my
(limited) observations this hasn't been the case.

Thanks for bringing this up. There is a bug in the code that handles the
U1.RUD test. Instead of checking that the payload is 300 bytes long and
consists only of the character 'C', it only checks that every byte in
the payload is 'C' without checking the length. So the test passes even
for an empty payload.

I'm going to fix this, which will cause some OS matches to break. We'll
have to get new submissions to populate the database with correct values
for the test.

I looked into this more deeply. I ran the command

hping2 -V --rand-dest --udp -d 300 --fast --interface eth0 x.x.x.x -n

and captured all the ICMP packets that came back to me. Some of them
returned the full 300-byte payload, some of them truncated it to 120
bytes, and some truncated it to 0 bytes. However, all of them had the
length in the encapsulated UDP header set to 308 bytes. (I captured
about 50 packets.)

This is relevant to the recently removed U1.RUL test, which measured the
length of returned UDP packets. It was based on the UDP header value,
not on the overall IP packet length. That explains why it showed so
little variation even though I was able to find variation in a matter of

The U1.RUD test actually makes sense the way it is written now, when
combined with U1.RUL as it should be written. One test checks the number
of bytes and the other checks their value.

We should reinstate the U1.RUL test and fix it to be based on the IP
packet length, not the supposed encapsulated UDP length. I don't know
what to do about the database entries. We could set them all back to G
and wait for correct submissions to come in and replace them.

I'm pretty busy at the moment. Does anyone want to try and write a patch
to bring back U1.RUL? It should be based on the IP packet len; you can
use the existing code for U1.RUD as a guide for that. The patch won't be
hard to write. Start by running this command to see the change, part of
which you have to revert:
        svn diff -c 12725

David Fifield

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]