Re: Apparent Bug in Nmap

[Fyodor <fyodor () insecure org>]

On Thu, Jun 04, 2009 at 11:38:03AM -0500, sbammel wrote:
> Test #2: (shows 10.11.0.1 up when it is not)
>
> Nmap Command:
> c:\Temp\nmap>nmap -sP 10.11.0.2 10.11.0.1
> Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-06-04 11:19 Central Daylight Time
> Host 10.11.0.1 is up (0.00s latency).
> Nmap done: 2 IP addresses (1 host up) scanned in 1.74 seconds
>
> Ethereal Output:
> No.     Time        Source                Destination           Protocol Info
>      10 11.277806   10.10.0.81            10.11.0.1             TCP      62969 > http [ACK] Seq=0 Ack=0 Win=3072 Len=0
>      11 11.278167   10.11.0.1             10.10.0.81            ICMP     Destination unreachable (Host unreachable)

Hi Stanley.  Whether to consider a host "up" can be a touch policy
decision.  We tend to err on the side of considering hosts up rather
than being too strict about it.  In this case above, Nmap receives a
packet purportedly FROM 10.11.0.1 claiming that it is not reachable.
Well, it was reachable enough that we got a response from that IP, so
we consider it reachable enough to continue scanning.

Now if the unreachable comes from a different IP address than the
target, we treat it differently.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org