Nmap Development mailing list archives

Re: Variety of bugs in nmap-4.20

From: Professor Messer <james () professormesser com>
Date: Tue, 19 Jun 2007 14:39:19 -0400

Chris Drake wrote:

Hi,

I'm Running the latest nmap-4.20 built from source
on RedHas AS4 update 4

Linux 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:27:17 EDT 2006 i686 i686 i386 GNU/Linux


1. I specifically ask it to send one ICMP echo request, however, it
   sends none, instead sending only an ARP:


# /usr/bin/nmap -n --packet_trace -sP -PE  123.123.252.164

Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-19 14:56 UTC
SENT (0.0370s) ARP who-has 123.123.252.164 tell 123.123.252.162
RCVD (0.0390s) ARP reply 123.123.252.164 is-at 00:0C:29:DA:5E:9F
Host 123.123.252.164 appears to be up.
MAC Address: 00:0C:29:DA:5E:9F (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 0.150 seconds

# ping 123.123.252.164
PING 123.123.252.164 (123.123.252.164) 56(84) bytes of data.
64 bytes from 123.123.252.164: icmp_seq=0 ttl=64 time=5.16 ms
64 bytes from 123.123.252.164: icmp_seq=1 ttl=64 time=0.717 ms


This is normal for the Nmap ping process. If an IP address is recognized 
to be on the same IP subnet, Nmap's ping process defaults to an ARP, 
regardless of the ping type specified. Your ICMP echo request ping (-PE) 
was automatically changed to an ARP ping (-PR).

Nmap also recognized that you just found the device up and running with 
the default ARP ping, so it ignored the seemingly redundant ping scan (-sP).

It might still be useful to send an ICMP echo request (-sP), even if a 
local-subnet ARP ping (-PR) finds the station to be available. This 
might help determine if a personal firewall could be running on the 
remote device.

2. I attempt to send a single UDP packet, but
   2a - it sends 2 packets
   2b - it parses the --host_timeout switch wrongly (curious: works OK
        on a "RedHat AS4u4 "full" non-SELinux install, but fails on a
        vmware RedHat AS4u4 "minimal" SELinux install.)

# /usr/bin/nmap -n --packet_trace -P0 -sU -p 53  --host_timeout 5000 --data_length 1 203.123.123.131
host-timeout is given in milliseconds, so you specified less than 15 seconds (0ms). This is allowed but not 
recommended.

Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-19 14:59 UTC
SENT (0.0380s) UDP 123.123.252.162:48152 > 203.123.123.131:53 ttl=48 id=52931 iplen=29 
SENT (1.0470s) UDP 123.123.252.162:48153 > 203.123.123.131:53 ttl=42 id=51814 iplen=29 
Interesting ports on 203.123.123.131:
Unable to find nmap-services!  Resorting to /etc/services
PORT   STATE         SERVICE
53/udp open|filtered domain

Nmap finished: 1 IP address (1 host up) scanned in 2.130 seconds
[root@vm4-DidTheyReadIt bin]#


This looks to be working properly. Nmap sent a UDP frame, didn't get a 
response (which is pretty normal for UDP scans), and Nmap tried again 
just to make sure it didn't miss anything.

The --host-timeout refers to the amount of time that Nmap will wait 
before "giving up" on a host scan. If you were scanning a lot of hosts, 
you might want to hurry things along by limiting every host to scan for 
30 seconds and then stop regardless of your process. Five seconds 
(5000ms) is pretty small, and Nmap told you so. The default is 0, which 
means that Nmap won't ever stop a scan based on time.

If you use --max_retries and limit the retry count to 0, it'll send a 
single UDP frame and then finish.

3. (Cosmetic) It tells me to use -P0 when I'm already using -P0

# /usr/bin/nmap -P0 -n --packet_trace -sP -PE  123.123.252.163

Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-19 14:57 UTC
SENT (0.0610s) ARP who-has 123.123.252.163 tell 123.123.252.162
SENT (0.1700s) ARP who-has 123.123.252.163 tell 123.123.252.162
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 0.320 seconds


Your command line is a bit contradictory, since you've asked not to send 
an Nmap ping (-P0) but also requested an ICMP echo request ping (-PE). 
Nmap accepts your second option, overriding the the first -P0 request.

So, as it turns out, you didn't _really_ specify -P0. If you remove the 
-PE option, you'll find that Nmap maintains its link between the Nmap 
ping and the ping scan with this error message:

"-P0 (skip ping) is incompatable(sic) with -sP (ping scan).  If you only 
want to enumerate hosts, try list scan (-sL)"


James "Professor" Messer
Author, "Secrets of Network Cartography: A Comprehensive Guide to Nmap"
http://www.ProfessorMesser.com

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Variety of bugs in nmap-4.20 Chris Drake (Jun 19)
- Re: Variety of bugs in nmap-4.20 DePriest, Jason R. (Jun 19)
- Re: Variety of bugs in nmap-4.20 Brandon Enright (Jun 19)
  - Re[2]: Variety of bugs in nmap-4.20 Chris Drake (Jun 19)
- Re: Variety of bugs in nmap-4.20 Professor Messer (Jun 19)
  - Re[2]: Variety of bugs in nmap-4.20 Chris Drake (Jun 19)
    - Re: Variety of bugs in nmap-4.20 Professor Messer (Jun 19)
    - Re: Variety of bugs in nmap-4.20 Fyodor (Jun 19)
- Re: Variety of bugs in nmap-4.20 Fyodor (Jun 19)