Nmap Development mailing list archives

Qscan happyness

From: Arturo 'Buanzo' Busleiman <buanzo () buanzo com ar>
Date: Sat, 29 Sep 2007 09:23:48 -0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

These days I've been having a big fight with my ISP, Fibertel, because they're limiting rate
according to port, (but not the number of connections, heh, so I can use axel or any other
parallel-downloading utility and obtain 364kb/s). I can download/browse the internet at 26kb/s.

In all my calls to the customer care department, they always denied having any kind of limitation or
proxy. I know for certain that have have a NetCache appliance (for more details, check out
http://blog.buanzo.com.ar, those tests are not nmap/qscan related).

Today, I finally decided to use qscan. In these tests, I'm QSCANning ports 22, 25, 110, and ports
80, 554 and 1755 (http and streaming ports that netcache supports).

I do the same scan against www.mailfighter.net (one of my hosts in Texas, USA - I'm in Buenos Aires,
Argentina), and against a VPN hostname, mx1. (i.e www.mailfighter.net over OpenVPN, so it is not
trapped by the netcache).

These are the tests. First, against www.mailfighter.net:

Starting Nmap 4.20ALPHA4 ( http://www.insecure.org/nmap/ ) at 2007-09-29 09:12 ART
Qscan parameters: round trips: 10, avg delay = 200ms, confidence = 0.95
         Target:Port  Fam  uRTT  +/- Stddev  Loss%
  66.219.59.208:22    A   246.4  +/-   1.5     0
  66.219.59.208:25    A   249.8  +/-   9.7     0
  66.219.59.208:80    B    12.6  +/-   1.7     0
  66.219.59.208:110   A   246.9  +/-   1.8     0
  66.219.59.208:554   B    12.7  +/-   0.9     0
  66.219.59.208:1755  B    12.6  +/-   1.8     019.59.208) are

As you can see, ports 22, 25 and 110 are in the same family ("A"), and ports 80, 554 and 1755 are in
family "B", as I expected. Look at the uRTT values. Family B is one hop away. That is: they go to
the transparent proxy in my ISP. Family A ports do not.

Now, let's see over the VPN:

Starting Nmap 4.20ALPHA4 ( http://www.insecure.org/nmap/ ) at 2007-09-29 09:13 ART
Qscan parameters: round trips: 10, avg delay = 200ms, confidence = 0.95
         Target:Port  Fam  uRTT  +/- Stddev  Loss%
   10.100.100.1:22    A   252.7  +/-  17.2     0
   10.100.100.1:25    A   245.0  +/-   1.1     0
   10.100.100.1:80    A   247.0  +/-   2.2     0
   10.100.100.1:110   A   245.1  +/-   1.4     0
   10.100.100.1:554   A   247.9  +/-   6.0     0
   10.100.100.1:1755  A   246.4  +/-   5.3     0

Of course, they're all over family A. This is obviously what I, and all of you, expected.

Is this interesting? No, not really. We already knew Qscan could do this. But all examples that were
provided here had to do with DNAT or port forwarding. Using it to demonstrate a transparent proxy in
your ISP is cool :P

But I'm very happy, VERY happy with Qscan, and I hope to see it integrated into Nmap, or released as
an independent tool, ASAP :)

BTW, I'll be showing these kind of tests in my nmap talk next week in Colombia (Anyone from Colombia
near Manizales that'd like to join me for a beer, send me an email!).

Yours,
Buanzo.

- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Servicios Ofrecidos: http://www.buanzo.com.ar/pro/
Unase a los Foros GNU/Buanzo - La palabra Comunidad en su maxima expresion.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG/kPUAlpOsGhXcE0RChOYAJ4txeGH+1s+D0HCC0pQjgVMb1RJrACeLj9z
HNsR08H1GBG5qt+ZIFB/YcA=
=YUwa
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Current thread:

Qscan happyness Arturo 'Buanzo' Busleiman (Sep 29)