Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Nmap Hackers: Protocol scan with nmap

Protocol scan with nmap

From: Gerhard Rieger - privat <rieger_at_iue.tuwien.ac.at>
Date: Sun, 28 May 2000 23:53:02 +0000

Hi nmap-hackers,

I have found nmap to be a very useful program for getting IP information about
hosts and networks.
What I sometimes need is a "protocol scanner" that probes for different values
of the IP portocol field, as used for selecting ICMP, TCP, UDP etc. For a year
now I had a perl "proof of concept" implementation; recently I decided to build
this feature into nmap. The result is now finished; I am sending the patch to
Fyodor in the hope that he will accept it for nmap.

I think that this feature is an important addition to IP level scanners.
BTW, I do not know if this type of scan has already been implemented somewhere.

The basic technic is the same as used for nmaps UDP scan: for each
interesting number a raw IP header packet is sent. If this number is supported
by the target IP stack, it does not respond; if no handler for that protocol is
integrated, the IP stack returns a "protocol unreachable" message (ICMP 3/2).

This is theory; in practice not all systems generate these "protocol
unreachable" messages.
At the first glance the following do not:
  AIX, HP-UX, HP Laserjet, Digital-Unix
Some that do:
  Solaris, Linux, Routers, *D0S

For example I tested the two IP addresses that result from www.insecure.org:

  # ./nmap -sI 216.218.218.233
  Starting nmap V. 2.53 by fyodor_at_insecure.org ( www.insecure.org/nmap/ )
  Interesting protocols on one233.area.com (216.218.218.233):
  (The 251 protocols scanned but not shown below are in state: closed)
  Protocol State Name
  1 open icmp
  2 open igmp
  6 open tcp
  17 open udp
  Nmap run completed -- 1 IP address (1 host up) scanned in 169 seconds

The support of ICMP, TCP, and UDP will not be surprising :-)
Scanning the other www.insecure.org address (207.69.138.68) reports "all open"
which is obviously wrong; Fyodor, nmap does not seem to recognize both
OS fingerprints :-(

More of interest is a scan of some router on the internet:

  (The 239 protocols scanned but not shown below are in state: closed)
  Protocol State Name
  1 open icmp
  2 filtered igmp
  4 filtered ip
  6 open tcp
  8 open egp
  9 filtered igp
  17 open udp
  47 open gre
  53 open swipe
  54 open narp
  55 open mobile
  77 open sun-nd
  88 filtered eigrp
  89 filtered ospfigp
  94 filtered ipip
  103 open pim

Only a tcpdump shows that "filtered" is caused by a more outside router.
Remember: "open" means "no answer", "closed" means "protocol unreachable", and
"filtered" is caused by some "administratively forbidden".

Best regards
Gerhard Rieger 

--
Always speaking for myself.
Received on May 28 2000
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]