Nmap Development mailing list archives

Re: what did I miss this time?

From: "R M" <rmtechnet () gmail com>
Date: Sun, 27 Aug 2006 11:33:54 -0400

thanks a lot for clearing that up.


On 8/26/06, Omar Herrera <oherrera () prodigy net mx> wrote:


Nmap's ping is distinguishable from other tools. It sends an ICMP Echo
Request package with no data.

Here are 2 examples of 2 captured ICMP packets with Wireshark. The first is
from a Windows ping and the second is from nmap 4.11 (Windows version, but
it has the same behaviour in Linux as far as I know):

---
No.     Time     Source                Destination           Protocol Info
  1 16:42:59 sss.sss.sss.sss        ddd.ddd.ddd.ddd          ICMP     Echo
(ping) request
Frame 1 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: Actionte_52:3b:21 (00:0f:b3:52:3b:21), Dst:
NICBrand_xx:xx:xx (xx:xx:xx:xx:xx:xx)
Internet Protocol, Src: sss.sss.sss.sss (sss.sss.sss.sss), Dst:
ddd.ddd.ddd.ddd (ddd.ddd.ddd.ddd)
Internet Control Message Protocol
   Type: 8 (Echo (ping) request)
   Code: 0
   Checksum: 0x425c [correct]
   Identifier: 0x0500
   Sequence number: 0x0600
   Data (32 bytes)
0000  61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70   abcdefghijklmnop
0010  71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69   qrstuvwabcdefghi


No.     Time     Source                Destination           Protocol Info
  2 16:43:14 sss.sss.sss.sss        ddd.ddd.ddd.ddd          ICMP     Echo
(ping) request
Frame 2 (42 bytes on wire, 42 bytes captured)
Ethernet II, Src: Actionte_52:3b:21 (00:0f:b3:52:3b:21), Dst:
NICBrand_xx:xx:xx (xx:xx:xx:xx:xx:xx)
Internet Protocol, Src: sss.sss.sss.sss (sss.sss.sss.sss), Dst:
ddd.ddd.ddd.ddd (ddd.ddd.ddd.ddd)
Internet Control Message Protocol
   Type: 8 (Echo (ping) request)
   Code: 0
   Checksum: 0xa564 [correct]
   Identifier: 0xcb78
   Sequence number: 0x8722
---

This has been known for a long time. There are also snort rules to block
nmap's ping:

For example (reference:
http://www.iu.hio.no/teaching/materials/MS004A/index.phtml?show=P90.en&week=
11):

drop icmp $HONEYNET any -> $EXTERNAL_NET any (msg:"ICMP PING NMAP"; dsize:
0; itype: 8; reference:arachnids,162; classty
pe:attempted-recon; sid:469; rev:1;)

Regards,

Omar Herrera

-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org]

I finally got a chance to test this with FreeBSD (nmap 4.01)

and guess what, it doesn't work for this one host. Regular ping works.

so I am forced to assume this host is able to differentiate between a
normal ping and an nmap echo request ping. Is this possible ??

thanks.

On 8/25/06, R M <rmtechnet () gmail com> wrote:

Unfortunately I don't have immediate access to a linux or a BSD system
now. But I am working on that so that i can test from that too.

And upon getting your reply, I tried the -PE/-sP options on some other
hosts. It works for all other hosts which I tried, except this one
host !

On 8/25/06, Kris Katterjohn <kjak () ispwest com> wrote:

R M wrote:

hi !

here's something which has been bugging me for sometime now.

There is an IP address (public) which I can ping successfully. But
when I do an 'nmap -PE' for the same IP, it says 'host seems down'.

As

expected, a packet capture shows that the -PE option is just sending
an echo request (same as what PING is doing).

I am trying this from different XP SP2 machines. Same result. I

tried

nmap 4.11 as well as 4.01. I also tried the -sP option, with the

same

outcome.

Is there anyway the destination host can know that the icmp echo
request is coming from nmap and not from a regular PING and thus
blocks the nmap ping??
Sorry for these basic questions.

Appreciate any feedback/suggestions you can provide.

thanks, folks.

--Rosh


Have you tried doing this on other platforms like Linux or *BSD? Have
you tried pinging and using the -PE/-sP option on other hosts?


Kris Katterjohn


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

what did I miss this time? R M (Aug 25)
- Re: what did I miss this time? Kris Katterjohn (Aug 25)
  - Re: what did I miss this time? R M (Aug 25)
    - Re: what did I miss this time? R M (Aug 26)
    - RE: what did I miss this time? Omar Herrera (Aug 26)
    - Re: what did I miss this time? Kris Katterjohn (Aug 26)
    - Re: what did I miss this time? R M (Aug 27)
    - Re: what did I miss this time? Fyodor (Aug 28)
    - Re: what did I miss this time? R M (Aug 29)