Re: nmap 5.21 sends protocol unreachable

[David Fifield <david () bamsoftware com>]

On Wed, Jan 27, 2010 at 10:17:52PM -0500, Derek wrote:
> I am running Windows 7 64-bit and I was curious about how internet
> hosts would respond to the three different ICMP pings that nmap
> supports, I also had wireshark running while performing these pings. I
> noticed that after receiving a reply, I would see ICMP Protocol
> Unreachable packets being sent to the replying host from my machine,
> while using the windows ping program this did not happen so I am
> assuming nmap is sending these packets. So my question is why is nmap
> doing this and if not nmap, why is it happening. I have the nmap
> network scanning book and I don't recall reading anything about nmap
> sending this type of packet, but actually looking for this type of
> response when performing an IP protocol scan. Any thoughts would be
> appreciated.

Those packets are probably being sent by Windows, not Nmap. When the
remote host sends its replies, Windows is not expecting them because
Nmap bypassed the operating system and crafted them itself. It seems
strange that Windows is sending a protocol unreachable for ICMP instead
of dropping the packets, but that could be how Windows 7 does it for all
I know.

It's a lot like how the operating system of the scanning machine sends
RST packets during a SYN scan. In most cases that's what you want. Look
under figure 5.2 on page 97:

        Nmap could send this RST packet easily enough, but it doesn't
        actually need to. ... The OS running on krad also receives the
        SYN/ACK, which it doesn't expect because Nmap crafted the SYN
        probe itself. So the OS responds to the unexpected SYN/ACK with
        a RST packet.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/