Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Nmap ICMP/TCP Ping Insubordination

From: Noam Rathaus <noamr () beyondsecurity com>
Date: Mon, 7 Jun 2004 11:40:59 +0300
Hi,

I noticed a very inconsitent (with the man file) behavior of Nmap, I run two 
command line:
1) ./nmap-3.50/nmap -PT80 -sP -d -n www.microsoft.com
(under the root user)
2) /nmap-3.50/nmap -PT80 -sP -d -n www.microsoft.com
(under the non-root user)

Both should do the same, TCP Ping the host www.microsoft.com, however this 
doesn't happen:
1) Results in
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-07 11:39 IDT

Packet capture filter (device eth0): (icmp and dst host 192.168.1.5) or ((tcp 
or udp) and dst host 192.168.1.5 and ( dst port 42558 or dst port 42559 or 
dst port 42560 or dst port 42561 or dst port 42562))
Finished block: srtt: -1 rttvar: -1 timeout: 6000000 block_tries: 2 
up_this_block: 0 down_this_block: 0 group_sz: 1
massping done:  num_hosts: 1  num_responses: 0
Host 207.46.245.92 appears to be down.
Note: Host seems down. If it is really up, but blocking our ping probes, try 
-P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 12.235 seconds

2) Results in
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-07 11:40 IDT
Machine 207.46.249.252 MIGHT actually be listening on probe port 80
Hostupdate called for machine 207.46.249.252 state UNKNOWN/COMBO -> HOST_UP 
(trynum 0, dotimeadj: yes time: 287027)
Finished block: srtt: 287047 rttvar: 287047 timeout: 1435235 block_tries: 1 
up_this_block: 1 down_this_block: 0 group_sz: 1
massping done:  num_hosts: 1  num_responses: 1
Host 207.46.249.252 appears to be up.
Nmap run completed -- 1 IP address (1 host up) scanned in 1.452 seconds

----------

Now I know that normal user can't send ICMP packets, so this is the difference 
I am seeing.

However, WHY does it even try to use ICMP when I strictly told it to use TCP 
Ping (-PT)?

-- 
Thanks
Noam Rathaus
CTO
Beyond Security Ltd.

Join the SecuriTeam community on Orkut:
http://www.orkut.com/Community.aspx?cmm=44441

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org
Previous By Date Next
Previous By Thread Next

Current thread: