Nmap Development mailing list archives
Re: what did I miss this time?
From: "R M" <rmtechnet () gmail com>
Date: Sun, 27 Aug 2006 11:33:54 -0400
thanks a lot for clearing that up. On 8/26/06, Omar Herrera <oherrera () prodigy net mx> wrote:
Nmap's ping is distinguishable from other tools. It sends an ICMP Echo Request package with no data. Here are 2 examples of 2 captured ICMP packets with Wireshark. The first is from a Windows ping and the second is from nmap 4.11 (Windows version, but it has the same behaviour in Linux as far as I know): --- No. Time Source Destination Protocol Info 1 16:42:59 sss.sss.sss.sss ddd.ddd.ddd.ddd ICMP Echo (ping) request Frame 1 (74 bytes on wire, 74 bytes captured) Ethernet II, Src: Actionte_52:3b:21 (00:0f:b3:52:3b:21), Dst: NICBrand_xx:xx:xx (xx:xx:xx:xx:xx:xx) Internet Protocol, Src: sss.sss.sss.sss (sss.sss.sss.sss), Dst: ddd.ddd.ddd.ddd (ddd.ddd.ddd.ddd) Internet Control Message Protocol Type: 8 (Echo (ping) request) Code: 0 Checksum: 0x425c [correct] Identifier: 0x0500 Sequence number: 0x0600 Data (32 bytes) 0000 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop 0010 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi No. Time Source Destination Protocol Info 2 16:43:14 sss.sss.sss.sss ddd.ddd.ddd.ddd ICMP Echo (ping) request Frame 2 (42 bytes on wire, 42 bytes captured) Ethernet II, Src: Actionte_52:3b:21 (00:0f:b3:52:3b:21), Dst: NICBrand_xx:xx:xx (xx:xx:xx:xx:xx:xx) Internet Protocol, Src: sss.sss.sss.sss (sss.sss.sss.sss), Dst: ddd.ddd.ddd.ddd (ddd.ddd.ddd.ddd) Internet Control Message Protocol Type: 8 (Echo (ping) request) Code: 0 Checksum: 0xa564 [correct] Identifier: 0xcb78 Sequence number: 0x8722 --- This has been known for a long time. There are also snort rules to block nmap's ping: For example (reference: http://www.iu.hio.no/teaching/materials/MS004A/index.phtml?show=P90.en&week= 11): drop icmp $HONEYNET any -> $EXTERNAL_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8; reference:arachnids,162; classty pe:attempted-recon; sid:469; rev:1;) Regards, Omar Herrera-----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] I finally got a chance to test this with FreeBSD (nmap 4.01) and guess what, it doesn't work for this one host. Regular ping works. so I am forced to assume this host is able to differentiate between a normal ping and an nmap echo request ping. Is this possible ?? thanks. On 8/25/06, R M <rmtechnet () gmail com> wrote:Unfortunately I don't have immediate access to a linux or a BSD system now. But I am working on that so that i can test from that too. And upon getting your reply, I tried the -PE/-sP options on some other hosts. It works for all other hosts which I tried, except this one host ! On 8/25/06, Kris Katterjohn <kjak () ispwest com> wrote:R M wrote:hi ! here's something which has been bugging me for sometime now. There is an IP address (public) which I can ping successfully. But when I do an 'nmap -PE' for the same IP, it says 'host seems down'.Asexpected, a packet capture shows that the -PE option is just sending an echo request (same as what PING is doing). I am trying this from different XP SP2 machines. Same result. Itriednmap 4.11 as well as 4.01. I also tried the -sP option, with thesameoutcome. Is there anyway the destination host can know that the icmp echo request is coming from nmap and not from a regular PING and thus blocks the nmap ping?? Sorry for these basic questions. Appreciate any feedback/suggestions you can provide. thanks, folks. --RoshHave you tried doing this on other platforms like Linux or *BSD? Have you tried pinging and using the -PE/-sP option on other hosts? Kris Katterjohn_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- what did I miss this time? R M (Aug 25)
- Re: what did I miss this time? Kris Katterjohn (Aug 25)
- Re: what did I miss this time? R M (Aug 25)
- Re: what did I miss this time? R M (Aug 26)
- RE: what did I miss this time? Omar Herrera (Aug 26)
- Re: what did I miss this time? Kris Katterjohn (Aug 26)
- Re: what did I miss this time? R M (Aug 27)
- Re: what did I miss this time? Fyodor (Aug 28)
- Re: what did I miss this time? R M (Aug 29)
- Re: what did I miss this time? R M (Aug 25)
- Re: what did I miss this time? Kris Katterjohn (Aug 25)