Re: Detecting upstream filters

[Rasmus Andersson <rasmus () pole-position org>]

Ryan,

I found out my code was written longer ago - for 2.3BETA14. Today much
of nmap is rewritten and modularized. Anyway, what I did was the
following at each place an ICMP unreachable packet is decoded:

---8<------8<------8<------8<------8<------8<---

 if (ip->ip_src.s_addr != ip2->ip_dst.s_addr) {
   log_write(LOG_STDOUT, "ICMP unreachable %d received from intermediate
router %s\n",
     icmp->icmp_code,
inet_ntoa(inet_makeaddr(htonl(ip->ip_src.s_addr),0)));
 }

---8<------8<------8<------8<------8<------8<---

The ip struct contains the headers of the received icmp-unreachable
packet while ip2 contains the headers of the offending packet (which is
sent with the unreachable as payload). So if ip->ip_src.s_addr is not
equal to ip2->ip_dst.s_addr, the unreachable is sent by another guy
(prior to these lines, ip2->ip_dst.s_addr is already checked for being
our target->host.s_addr).

This works with (at least) SYN- and UDP-scans. In the case of a
CONNECT-scan I guess the OS handles more of this stuff so it won't work
this easily.

I haven't had time to digest the newest nmap source (with scan_engine.c)
but it should be very easy to incorporate this. My main problem is to
incorporate the output in the ports table instead of just burping while
scanning. It's probably a fairly simple task - but not for me :-)

/Rasmus

Ryan Permeh wrote:
> send me the code and i'll integrate it into the nmap source and make a
> patch.  it's a very cool idea
..
> ----- Original Message -----
> From: "Rasmus Andersson" <rasmus () pole-position org>
..
> Subject: Re: Detecting upstream filters
>
> > Ryan Permeh wrote:
> > > one of the problems here is that there isn't nessecarily an icmp unreach
> > > sent on a blocked port.  sometimes it just drops the packet and enters
> the
> > True, but that problem has nothing to do with my issue: *when* there is
> > an unreach received that originates from a (non-masquerading)
> > intermediate, I do want to be alerted about that fact.
> >
> > > "filtered" state because no response was read.  this may not even work
> when
> > > an intermediate decides to send an ICMP packet, because, if i remember
> > > correctly, pcap filters are placed to collect input, and intermediates
> are
> > > not in the filters collected.
> >
> > As I wrote, it does work. I have working code but it spews out the info
> > during the scan instead of nice and tidily in the table.
> >
> > Slainte
> > Rasmus
> >
> > ---------------------------------------------------------------------
> > For help using this (nmap-dev) mailing list, send a blank email to
> > nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).