Potential bug in nmap 4.21ALPHA4 (and before)

[Sebastian Wolfgarten <sebastian () wolfgarten com>]

Hi Fyodor,

how are you doing, hope you are keeping well!

I think I discovered a potential bug in nmap 4.21ALPHA4 and some
previous version (at least including nmap 4.11). I also believe I
reported this to you before but anyway, the options I used were (on
Linux 2.6.17):

nmap-4.21ALPHA4 # ./nmap -v -sS -sV -O -P0 -oA bla
-p0,21-23,25,80,111,139,443,445,512,1521,2049,3389,8080 www.nestor-hotels.de

Now here is what I get:

Starting Nmap 4.21ALPHA4 ( http://insecure.org ) at 2007-05-16 23:07 CEST
Initiating Parallel DNS resolution of 1 host. at 23:07
Completed Parallel DNS resolution of 1 host. at 23:07, 0.00s elapsed
Initiating SYN Stealth Scan at 23:07
Scanning kundenserver.de (82.165.95.212) [15 ports]
Discovered open port 22/tcp on 82.165.95.212
Discovered open port 80/tcp on 82.165.95.212
Discovered open port 21/tcp on 82.165.95.212
Completed SYN Stealth Scan at 23:07, 0.05s elapsed (15 total ports)
Initiating Service scan at 23:07
Scanning 3 services on kundenserver.de (82.165.95.212)
Completed Service scan at 23:07, 6.05s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against kundenserver.de (82.165.95.212)
Retrying OS detection (try #2) against kundenserver.de (82.165.95.212)
Initiating gen1 OS Detection against 82.165.95.212 at 9.723s
For OSScan assuming port 21 is open, 0 is closed, and neither are firewalled
send_closedudp_probe: One or more of your parameters suck!
send_closedudp_probe: One or more of your parameters suck!
For OSScan assuming port 21 is open, 0 is closed, and neither are firewalled
send_closedudp_probe: One or more of your parameters suck!
send_closedudp_probe: One or more of your parameters suck!
For OSScan assuming port 21 is open, 0 is closed, and neither are firewalled
send_closedudp_probe: One or more of your parameters suck!
send_closedudp_probe: One or more of your parameters suck!
SCRIPT ENGINE: Initiating script scanning.
Host kundenserver.de (82.165.95.212) appears to be up ... good.
Interesting ports on kundenserver.de (82.165.95.212):
PORT     STATE    SERVICE      VERSION
0/tcp    closed   unknown
21/tcp   open     ftp          ProFTPD
22/tcp   open     ssh          OpenSSH 4.3 Debian 1:4.3p2-2 (protocol 1.99)
23/tcp   filtered telnet
25/tcp   filtered smtp
80/tcp   open     http         Apache httpd 1.3.33 ((Unix))
111/tcp  filtered rpcbind
139/tcp  filtered netbios-ssn
443/tcp  closed   https
445/tcp  filtered microsoft-ds
512/tcp  filtered exec
1521/tcp closed   oracle
2049/tcp closed   nfs
3389/tcp closed   ms-term-serv
8080/tcp closed   http-proxy
Device type: broadband router|general purpose|web proxy|load balancer|WAP
Running (JUST GUESSING) : Linksys embedded (91%), Linux 2.6.X|2.4.X
(90%), Cisco ACNS (89%), Kemp embedded (89%), Siemens Linux (88%)
Aggressive OS guesses: Linksys WRT54GS v4 running OpenWrt w/Linux kernel
2.4.30 (91%), Linux 2.6.9-42 (Red Hat ES4) (90%), Linux 2.6.14-gentoo-r2
(Gentoo, x86) (90%), Cisco Content Engine CE590 running Application and
Content Networking System Software 5.5.5 (89%), KEMP Technologies
LoadMaster 1500 load balancer (89%), Siemens Gigaset SE515dsl wireless
broadband router (88%), Centos 4.3 Linux 2.6.17.11-grsec (Centos 4.3,
X86) (87%), Linux 2.6.15-27 (Ubuntu 6.06) (87%), Linux 2.4.33 (85%),
Linux 2.6.13 - 2.6.18 (85%)
No exact OS matches for host (test conditions non-ideal).
TCP Sequence Prediction: Difficulty=4090459 (Good luck!)
IPID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux

OS and Service detection performed. Please report any incorrect results
at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 18.687 seconds
               Raw packets sent: 101 (8344B) | Rcvd: 79 (4242B)

And here is the problem: Which option does actually suck
(send_closedudp_probe: One or more of your parameters suck!)? Why do I
get these messages when to me the command-line call above looks quite
alright, doesn't it?

Thank you very much for developing nmap and keep the good work up! And
if I meet you at DefCon this year, I will buy you a beer (I was the guy
that was trying to meet you when you were in Stuttgart/Germany some time
ago before you went to Zurich). Take care and thanks!

Cheers,
Sebastian

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org