 
Nmap Development mailing list archives
nmap 6.47 IPv6 ping scan incorrectly indicates host is down + patch
From: Andrew Waters <awaters_uk () hotmail com>
Date: Tue, 17 Feb 2015 08:32:34 +0000
The current version of nmap incorrectly reports an IPv6 host as down. This appears to be caused by the change o The ICMP ID of ICMP probes is now matched against the sent ICMP ID, to reduce the chance of false matches. Patch by Chris Johnson. made in nmap 6.45. # nmap -6 -ddd -vvv -n -T4 -PE -sn 2001:500:100:1187:250:56ff:fe09:13f8 Starting Nmap 6.47 ( http://nmap.org ) at 2014-11-04 11:04 GMT The max # of sockets we are using is: 0 --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 500, min 100, max 1250 max-scan-delay: TCP 10, UDP 1000, SCTP 10 parallelism: min 0, max 0 max-retries: 6, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- Fetchfile found /home/awaters/Downloads/nmap/nmap-6.47/nmap-payloads Initiating Ping Scan at 11:04 Scanning 2001:500:100:1187:250:56ff:fe09:13f8 [1 port] Packet capture filter (device ens9): dst host 2001:500:100:1181:7eb1:d59a:e7cd:60a0 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 2001:500:100:1187:250:56ff:fe09:13f8))) SENT (0.0251s) ICMPv6 (58) 2001:500:100:1181:7eb1:d59a:e7cd:60a0 > 2001:500:100:1187:250:56ff:fe09:13f8 (type=128/code=0) ver=6, tclass=0 flow=0 payloadlen=8 nh=IPv6-ICMP hopl=255 **TIMING STATS** (0.0252s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/ Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 500000/-1/-1 Current sending rates: 68.60 packets / s, 3292.63 bytes / s. Overall sending rates: 68.60 packets / s, 3292.63 bytes / s. RCVD (0.0280s) ICMPv6 (58) 2001:500:100:1187:250:56ff:fe09:13f8 > 2001:500:100:1181:7eb1:d59a:e7cd:60a0 (type=129/code=0) ver=6, tclass=0 flow=0 payloadlen=8 nh=IPv6-ICMP hopl=63 Found 2001:500:100:1187:250:56ff:fe09:13f8 in incomplete hosts list. SENT (0.5279s) ICMPv6 (58) 2001:500:100:1181:7eb1:d59a:e7cd:60a0 > 2001:500:100:1187:250:56ff:fe09:13f8 (type=128/code=0) ver=6, tclass=0 flow=0 payloadlen=8 nh=IPv6-ICMP hopl=255 **TIMING STATS** (0.5279s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/ Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 500000/-1/-1 Current sending rates: 3.87 packets / s, 185.57 bytes / s. Overall sending rates: 3.87 packets / s, 185.57 bytes / s. RCVD (0.5293s) ICMPv6 (58) 2001:500:100:1187:250:56ff:fe09:13f8 > 2001:500:100:1181:7eb1:d59a:e7cd:60a0 (type=129/code=0) ver=6, tclass=0 flow=0 payloadlen=8 nh=IPv6-ICMP hopl=63 Found 2001:500:100:1187:250:56ff:fe09:13f8 in incomplete hosts list. **TIMING STATS** (1.0306s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/ Groupstats (1/1 incomplete): 0/*/*/*/*/* 10.00/75/* 500000/-1/-1 Current sending rates: 1.96 packets / s, 94.12 bytes / s. Overall sending rates: 1.96 packets / s, 94.12 bytes / s. ultrascan_host_probe_update called for machine 2001:500:100:1187:250:56ff:fe09:13f8 state UNKNOWN -> HOST_DOWN (trynum 1 time: 504893) Moving 2001:500:100:1187:250:56ff:fe09:13f8 to completed hosts list with 1 outstanding probe. Completed Ping Scan at 11:04, 1.02s elapsed (1 total hosts) Overall sending rates: 1.96 packets / s, 93.92 bytes / s. pcap stats: 2 packets received by filter, 0 dropped by kernel. Initiating System DNS resolution of 1 host. at 11:04 Completed System DNS resolution of 1 host. at 11:04, 0.00s elapsed Nmap scan report for 2001:500:100:1187:250:56ff:fe09:13f8 [host down, received no-response] Read from /home/awaters/Downloads/nmap/nmap-6.47: nmap-payloads. Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 1.05 seconds Raw packets sent: 2 (96B) | Rcvd: 2 (96B) The problem is that UltraProbe::setIP fails to set the extra data when performing an ICMPv6 ping. Hence when icmp_probe_match tests ntohs(ping->id) != probe->icmpid() it fails. Fixing it, with the attached single line patch against the current SVN repository, fixes the problem and now produces # nmap -6 -ddd -vvv -n -T4 -PE -sn 2001:500:100:1187:250:56ff:fe09:13f8 Starting Nmap 6.47 ( http://nmap.org ) at 2014-11-04 11:10 GMT The max # of sockets we are using is: 0 --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 500, min 100, max 1250 max-scan-delay: TCP 10, UDP 1000, SCTP 10 parallelism: min 0, max 0 max-retries: 6, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- Fetchfile found /home/awaters/Downloads/nmap/nmap-6.47/nmap-payloads Initiating Ping Scan at 11:10 Scanning 2001:500:100:1187:250:56ff:fe09:13f8 [1 port] Packet capture filter (device ens9): dst host 2001:500:100:1181:7eb1:d59a:e7cd:60a0 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 2001:500:100:1187:250:56ff:fe09:13f8))) SENT (0.0206s) ICMPv6 (58) 2001:500:100:1181:7eb1:d59a:e7cd:60a0 > 2001:500:100:1187:250:56ff:fe09:13f8 (type=128/code=0) ver=6, tclass=0 flow=0 payloadlen=8 nh=IPv6-ICMP hopl=255 **TIMING STATS** (0.0206s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/ Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 500000/-1/-1 Current sending rates: 86.72 packets / s, 4162.33 bytes / s. Overall sending rates: 86.72 packets / s, 4162.33 bytes / s. RCVD (0.0385s) ICMPv6 (58) 2001:500:100:1187:250:56ff:fe09:13f8 > 2001:500:100:1181:7eb1:d59a:e7cd:60a0 (type=129/code=0) ver=6, tclass=0 flow=0 payloadlen=8 nh=IPv6-ICMP hopl=63 Found 2001:500:100:1187:250:56ff:fe09:13f8 in incomplete hosts list. We got a ping packet back from 2001:500:100:1187:250:56ff:fe09:13f8: id = 47798 seq = 0 checksum = 60496 ultrascan_host_probe_update called for machine 2001:500:100:1187:250:56ff:fe09:13f8 state UNKNOWN -> HOST_UP (trynum 0 time: 500631) Moving 2001:500:100:1187:250:56ff:fe09:13f8 to completed hosts list with 0 outstanding probes. Completed Ping Scan at 11:10, 0.51s elapsed (1 total hosts) Overall sending rates: 1.95 packets / s, 93.73 bytes / s. pcap stats: 1 packets received by filter, 0 dropped by kernel. Initiating System DNS resolution of 1 host. at 11:10 Completed System DNS resolution of 1 host. at 11:10, 0.29s elapsed DNS resolution of 1 IPs took 0.29s. Mode: System [OK: 0, ??: 1] Nmap scan report for 2001:500:100:1187:250:56ff:fe09:13f8 Host is up, received echo-reply (0.018s latency). Final times for host: srtt: 17939 rttvar: 17939 to: 100000 Read from /home/awaters/Downloads/nmap/nmap-6.47: nmap-payloads. Nmap done: 1 IP address (1 host up) scanned in 0.83 seconds Raw packets sent: 1 (48B) | Rcvd: 1 (48B) Regards, Andrew
Attachment:
patch
Description: 
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- nmap 6.47 IPv6 ping scan incorrectly indicates host is down + patch Andrew Waters (Feb 20)
- Re: nmap 6.47 IPv6 ping scan incorrectly indicates host is down + patch Daniel Miller (Feb 23)
 


