Nmap Development mailing list archives

Re: Nmap-4.10

From: "Jamie Gavahan" <redpike () gmail com>
Date: Mon, 26 Jun 2006 12:29:40 -0500

On 6/25/06, Fyodor <fyodor () insecure org> wrote:

On Wed, Jun 14, 2006 at 06:52:21PM -0500, Jamie Gavahan wrote:

Hello all,

I've been experiencing problems with Nmap since at least 4.03.  My
build environment is Windows XP Pro SP2, Visual C++ 2005 Express,
Server 2003 R2 Platform SDK. This problem also occurs with precompiled
binaries.

[...]

Discovered open port 508/tcp on 205.217.153.62
Discovered open port 31/tcp on 205.217.153.62
Discovered open port 550/tcp on 205.217.153.62
Discovered open port 3006/tcp on 205.217.153.62
Discovered open port 489/tcp on 205.217.153.62


It definitely sounds like there may be a transparent of some sort in
the way.  Would you post the output of:

nmap --packet-trace -sSV -p22,550 scanme.nmap.org

That way we can see what packets are coming back, and also the results
of service detection against these ports.


Here's the desired output:

# Nmap 4.10 scan initiated Mon Jun 26 12:17:18 2006 as: nmap
--packet_trace -sSV -p22,550 -oN nmap-dev.txt scanme.insecure.org
SENT (0.9850s) ICMP 10.0.0.3 > 205.217.153.62 Echo request
(type=8/code=0) ttl=50 id=17665 iplen=28
SENT (1.0000s) TCP 10.0.0.3:48792 > 205.217.153.62:80 A ttl=52 id=7454
iplen=40 seq=2891345118 win=1024 ack=1876323550
RCVD (1.1100s) ICMP 205.217.153.62 > 10.0.0.3 Echo reply
(type=0/code=0) ttl=44 id=55868 iplen=28
SENT (4.1570s) TCP 10.0.0.3:48769 > 205.217.153.62:22 S ttl=49 id=2923
iplen=44 seq=203584409 win=2048
SENT (4.1570s) TCP 10.0.0.3:48769 > 205.217.153.62:550 S ttl=46
id=21887 iplen=44 seq=203584409 win=3072
RCVD (4.2660s) TCP 205.217.153.62:22 > 10.0.0.3:48769 SA ttl=44
id=55871 iplen=44 seq=3167689185 win=5840 ack=203584410
SENT (7.6570s) TCP 10.0.0.3:48770 > 205.217.153.62:550 S ttl=47
id=26218 iplen=44 seq=203649944 win=4096
Interesting ports on scanme.nmap.org (205.217.153.62):
PORT    STATE    SERVICE  VERSION
22/tcp  open     ssh      OpenSSH 4.3 (protocol 2.0)
550/tcp filtered new-rwho

# Nmap run completed at Mon Jun 26 12:17:28 2006 -- 1 IP address (1
host up) scanned in 10.532 seconds
<---------------------------------------------------------------------->
Trying the same scan a few minutes later yields this:

# Nmap 4.10 scan initiated Mon Jun 26 12:21:19 2006 as: nmap
--packet-trace -sSV -p22,550 -oN nmap-dev-1.txt scanme.insecure.org
SENT (0.4530s) ICMP 10.0.0.3 > 205.217.153.62 Echo request
(type=8/code=0) ttl=45 id=7139 iplen=28
SENT (0.4530s) TCP 10.0.0.3:57375 > 205.217.153.62:80 A ttl=41
id=47225 iplen=40 seq=2602268318 win=2048 ack=4187715230
SENT (2.4530s) ICMP 10.0.0.3 > 205.217.153.62 Echo request
(type=8/code=0) ttl=59 id=2289 iplen=28
SENT (2.4690s) TCP 10.0.0.3:57376 > 205.217.153.62:80 A ttl=42
id=16482 iplen=40 seq=2358998750 win=3072 ack=836466398
# Nmap run completed at Mon Jun 26 12:21:24 2006 -- 1 IP address (0
hosts up) scanned in 4.469 seconds
<---------------------------------------------------------------------->
And then a few more minutes later:

# Nmap 4.10 scan initiated Mon Jun 26 12:26:32 2006 as: nmap
--packet-trace -sSV -p22,550 -oN nmap-dev-2.txt scanme.insecure.org
SENT (0.4370s) ICMP 10.0.0.3 > 205.217.153.62 Echo request
(type=8/code=0) ttl=49 id=27407 iplen=28
SENT (0.4370s) TCP 10.0.0.3:61793 > 205.217.153.62:80 A ttl=47
id=50193 iplen=40 seq=768957854 win=4096 ack=2174049694
RCVD (0.5470s) ICMP 205.217.153.62 > 10.0.0.3 Echo reply
(type=0/code=0) ttl=45 id=55973 iplen=28
SENT (1.2340s) TCP 10.0.0.3:61770 > 205.217.153.62:22 S ttl=46
id=23069 iplen=44 seq=1428639177 win=3072
SENT (1.2340s) TCP 10.0.0.3:61770 > 205.217.153.62:550 S ttl=38
id=25856 iplen=44 seq=1428639177 win=3072
RCVD (1.3280s) TCP 205.217.153.62:22 > 10.0.0.3:61770 SA ttl=45
id=55976 iplen=44 seq=3758677423 win=5840 ack=1428639178
SENT (2.7030s) TCP 10.0.0.3:61771 > 205.217.153.62:550 S ttl=46
id=62280 iplen=44 seq=1428573640 win=3072
Interesting ports on scanme.nmap.org (205.217.153.62):
PORT    STATE    SERVICE  VERSION
22/tcp  open     ssh      OpenSSH 4.3 (protocol 2.0)
550/tcp filtered new-rwho

# Nmap run completed at Mon Jun 26 12:26:36 2006 -- 1 IP address (1
host up) scanned in 3.453 seconds
<---------------------------------------------------------------------->
Hope this helps the diagnosis!

-Jamie


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev

Current thread:

Nmap-4.10 Jamie Gavahan (Jun 14)
- Re: Nmap-4.10 AgentSmith15 (Jun 14)
  - Re: Nmap-4.10 Jamie Gavahan (Jun 15)
- Re: Nmap-4.10 Fyodor (Jun 25)
  - Re: Nmap-4.10 Jamie Gavahan (Jun 26)