Re: Nmap ICMP/TCP Ping Insubordination

[Noam Rathaus <noamr () beyondsecurity com>]

On Monday 07 June 2004 12:28, Martin Mačok wrote:
> On Mon, Jun 07, 2004 at 11:40:59AM +0300, Noam Rathaus wrote:
> > I noticed a very inconsitent (with the man file) behavior of Nmap,
> > I run two command line:
> > 1) ./nmap-3.50/nmap -PT80 -sP -d -n www.microsoft.com
> > (under the root user)
> > 2) /nmap-3.50/nmap -PT80 -sP -d -n www.microsoft.com
> > (under the non-root user)
> >
> > Both should do the same, TCP Ping the host www.microsoft.com,
>
> Option -PT does not do the same for root and non root users. From the
> man page, option -PT: "... spew out TCP ACK packets ... For non root
> users, we use connect()".
>
> Sniff both (1) and (2) with tcpdump/ethereal and see the
> conversations.
>
> Martin Mačok
> IT Security Consultant
Also, I noted that it still creates an ICMP capture filter under root, which 
would in the case of -PT/-PS/etc be unnecessary, unless that host is 
non-routeable.

I tried in addition to do:
nmap -sP -PS80 -d www.microsoft.com

TCP probe port is 80

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
The first host is 203, and the last one is 203
The first host is 55, and the last one is 55
The first host is 30, and the last one is 30
The first host is 222, and the last one is 222
Packet capture filter: (icmp and dst host 207.46.245.92) or (tcp and dst host 
192.117.122.128 and ( dst port 62241 or dst port 62242 or dst port 62243 or 
dst port 62244 or dst port 62245))

As you can see it still tries to use ICMP for detection, if I read it 
correctly.

-- 
Thanks
Noam Rathaus
CTO
Beyond Security Ltd.

Join the SecuriTeam community on Orkut:
http://www.orkut.com/Community.aspx?cmm=44441

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List archive: http://seclists.org