Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

ip proto 0xff in syn pckts on ADSL connection

From: jfhorn <jfhorn () gmail com>
Date: Tue, 4 Nov 2008 11:01:55 -0500
I'm looking for some insight into an issue (a bug, possibly with nmap)
involving the most recent nmap (4.76), Windows (XP SP2), WinPcap
(4.02), and a modem/dial-up adapter.

PROBLEM: When attempting a TCP connect scan (-sT) to port 80 on
www.google.com over dial-up, the system emits packets correctly, *but*
when attempting to SYN scan (-sS) port 80 on www.google.com, the
system emits packets with the IP protocol type set to 0xFF.


Running the same scans with "--packet-trace" indicates nmap intends to
send TCP packets with the SYN (S) flag set, but again, Wireshark shows
the protocol type set to "0xFF" rather than "0x06" and the scan fails.
------------------------
nmap-4.76>nmap -sS --packet-trace -P0 -p 80 www.google.com
...
SENT (0.4070s) TCP 209.163.118.135:51562 > 208.67.217.230:80 S ttl=41
id=27446 iplen=44  seq=3476152143 win=2048 <mss 1460>
SENT (1.4220s) TCP 209.163.118.135:51563 > 208.67.217.230:80 S ttl=49
id=31325 iplen=44  seq=3476086606 win=2048 <mss 1460>
Interesting ports on google.navigation.opendns.com (208.67.217.230):
PORT   STATE    SERVICE
80/tcp filtered http
------------------------

If I scan my internal network using the ethernet adapter built into
the same machine, SYN and connect scans execute as expected,
indicating this bug may involve an interaction with the dial-up
adapter like the reported ADSL modem issue referenced below.

I already understand the connect scan uses the operating system's
connect call instead of manually crafting SYN packets, but how do we
chase-down the bug in SYN packet generation?

It seems as if others have reported this issue in the past (2007), but
no resolution has ever been posted or proposed, and the ultimate
source of the bug (Windows vs. nmap vs. WinPcap vs ?) has never been
investigated.

I can provide the pcap of these sessions if anyone needs to verify my
analysis, but I'm pretty sure the capture won't point-out the source
of this bug.

Thanks!


-------------------------------------------------
Related (unanswered) nmap-dev postings:
-------------------------------------------------
http://seclists.org/nmap-dev/2007/q2/0347.html
Subject: nmap bug? - ip proto 0xff in syn pckts on ADSL connection
From: google <stanilewicz_at_gmail.com>
Date: Tue, 5 Jun 2007 11:28:37 +0200

I'm running XP SP1 machine (build 2600), and my connection is through
ADSL SpeedTouch 330 modem (latest drivers). I used also cFosSpeed
driver and wipfw firewall, but after unstallation the problem remained
the same. I also tried to downgrade winpcap from 4.0 to 3.1.

Nmap sends packets with 0xff as IP protocol (offset 0x17 in the whole
packet), when it check hosts for being up, AND when it scans with SYN
scan (by default).

So I have to use ALWAYS -sT -P0 options, then nmap works.

BUT.... on THE SAME MACHINE, I have also Ethernet card, and when I
connect through it, NMAP works correctly, and packets are formed OK.

-------------------------------------------------

Similar bug report here from 11 December 2006:
http://www.nabble.com/Nmap-4.20-bug-td7801465.html

-------------------------------------------------



-------------------------------------------------
ADDITIONAL SCAN INFORMATION AND OUTPUT
-------------------------------------------------
C:\Documents and Settings\client2\Desktop\nmap-4.76>nmap -V

Nmap version 4.76 ( http://nmap.org )

C:\Documents and Settings\client2\Desktop\nmap-4.76>nmap -sS -P0 -p 80
www.google.com

Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-04 14:14 GMT Standard Time
Warning: Hostname www.google.com resolves to 2 IPs. Using 208.67.217.231.
Interesting ports on google.navigation.opendns.com (208.67.217.231):
PORT   STATE    SERVICE
80/tcp filtered http

Nmap done: 1 IP address (1 host up) scanned in 6.08 seconds

C:\Documents and Settings\client2\Desktop\nmap-4.76>nmap -sT -P0 -p 80
www.google.com

Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-04 14:14 GMT Standard Time
Warning: Hostname www.google.com resolves to 2 IPs. Using 208.67.217.231.
Interesting ports on google.navigation.opendns.com (208.67.217.231):
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds

C:\Documents and Settings\client2\Desktop\nmap-4.76>nmap -sS
--packet-trace -P0 -p 80 www.google.com

Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-04 14:15 GMT Standard Time
Warning: Hostname www.google.com resolves to 2 IPs. Using 208.67.217.230.
NSOCK (0.2190s) msevent_new (IOD #1) (EID #8)
NSOCK (0.2190s) UDP connection requested to 209.163.108.67:53 (IOD #1) EID 8
NSOCK (0.2190s) msevent_new (IOD #1) (EID #18)
NSOCK (0.2190s) Read request from IOD #1 [209.163.108.67:53] (timeout:
-1ms) EID 18
NSOCK (0.2190s) msevent_new (IOD #2) (EID #24)
NSOCK (0.2190s) UDP connection requested to 209.163.108.78:53 (IOD #2) EID 24
NSOCK (0.2190s) msevent_new (IOD #2) (EID #34)
NSOCK (0.2190s) Read request from IOD #2 [209.163.108.78:53] (timeout:
-1ms) EID 34
NSOCK (0.2350s) msevent_new (IOD #3) (EID #40)
NSOCK (0.2350s) UDP connection requested to 208.67.220.220:53 (IOD #3) EID 40
NSOCK (0.2350s) msevent_new (IOD #3) (EID #50)
NSOCK (0.2350s) Read request from IOD #3 [208.67.220.220:53] (timeout:
-1ms) EID 50
NSOCK (0.2350s) msevent_new (IOD #4) (EID #56)
NSOCK (0.2350s) UDP connection requested to 208.67.222.222:53 (IOD #4) EID 56
NSOCK (0.2350s) msevent_new (IOD #4) (EID #66)
NSOCK (0.2350s) Read request from IOD #4 [208.67.222.222:53] (timeout:
-1ms) EID 66
NSOCK (0.2350s) msevent_new (IOD #5) (EID #72)
NSOCK (0.2350s) UDP connection requested to 192.168.200.12:53 (IOD #5) EID 72
NSOCK (0.2350s) msevent_new (IOD #5) (EID #82)
NSOCK (0.2350s) Read request from IOD #5 [192.168.200.12:53] (timeout:
-1ms) EID 82
NSOCK (0.2350s) msevent_new (IOD #1) (EID #91)
NSOCK (0.2350s) Write request for 45 bytes to IOD #1 EID 91
[209.163.108.67:53]: .............230.217.67.208.in-addr.arpa.....
NSOCK (0.2350s) nsock_loop() started (timeout=500ms). 11 events pending
NSOCK (0.2350s) wait_for_events
NSOCK (0.2350s) Callback: CONNECT SUCCESS for EID 72 [192.168.200.12:53]
NSOCK (0.2350s) msevent_delete (IOD #5) (EID #72)
NSOCK (0.2350s) Callback: CONNECT SUCCESS for EID 56 [208.67.222.222:53]
NSOCK (0.2350s) msevent_delete (IOD #4) (EID #56)
NSOCK (0.2350s) Callback: CONNECT SUCCESS for EID 40 [208.67.220.220:53]
NSOCK (0.2350s) msevent_delete (IOD #3) (EID #40)
NSOCK (0.2350s) Callback: CONNECT SUCCESS for EID 24 [209.163.108.78:53]
NSOCK (0.2350s) msevent_delete (IOD #2) (EID #24)
NSOCK (0.2350s) Callback: CONNECT SUCCESS for EID 8 [209.163.108.67:53]
NSOCK (0.2350s) msevent_delete (IOD #1) (EID #8)
NSOCK (0.2350s) Callback: WRITE SUCCESS for EID 91 [209.163.108.67:53]
NSOCK (0.2350s) msevent_delete (IOD #1) (EID #91)
NSOCK (0.2350s) wait_for_events
NSOCK (0.3600s) Callback: READ SUCCESS for EID 18 [209.163.108.67:53]
(148 bytes)
NSOCK (0.3600s) msevent_new (IOD #1) (EID #98)
NSOCK (0.3600s) Read request from IOD #1 [209.163.108.67:53] (timeout:
-1ms) EID 98
NSOCK (0.3600s) msevent_delete (IOD #1) (EID #98)
NSOCK (0.3600s) msevent_delete (IOD #2) (EID #34)
NSOCK (0.3600s) msevent_delete (IOD #3) (EID #50)
NSOCK (0.3600s) msevent_delete (IOD #4) (EID #66)
NSOCK (0.3600s) msevent_delete (IOD #5) (EID #82)
NSOCK (0.3600s) msevent_delete (IOD #1) (EID #18)
SENT (0.4070s) TCP 209.163.118.135:51562 > 208.67.217.230:80 S ttl=41
id=27446 iplen=44  seq=3476152143 win=2048 <mss 1460>
SENT (1.4220s) TCP 209.163.118.135:51563 > 208.67.217.230:80 S ttl=49
id=31325 iplen=44  seq=3476086606 win=2048 <mss 1460>
Interesting ports on google.navigation.opendns.com (208.67.217.230):
PORT   STATE    SERVICE
80/tcp filtered http

Nmap done: 1 IP address (1 host up) scanned in 2.45 seconds

C:\Documents and Settings\client2\Desktop\nmap-4.76>nmap -sT
--packet-trace -P0 -p 80 www.google.com

Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-04 14:15 GMT Standard Time
Warning: Hostname www.google.com resolves to 2 IPs. Using 208.67.217.230.
NSOCK (0.0940s) msevent_new (IOD #1) (EID #8)
NSOCK (0.0940s) UDP connection requested to 209.163.108.67:53 (IOD #1) EID 8
NSOCK (0.0940s) msevent_new (IOD #1) (EID #18)
NSOCK (0.0940s) Read request from IOD #1 [209.163.108.67:53] (timeout:
-1ms) EID 18
NSOCK (0.0940s) msevent_new (IOD #2) (EID #24)
NSOCK (0.0940s) UDP connection requested to 209.163.108.78:53 (IOD #2) EID 24
NSOCK (0.0940s) msevent_new (IOD #2) (EID #34)
NSOCK (0.0940s) Read request from IOD #2 [209.163.108.78:53] (timeout:
-1ms) EID 34
NSOCK (0.0940s) msevent_new (IOD #3) (EID #40)
NSOCK (0.0940s) UDP connection requested to 208.67.220.220:53 (IOD #3) EID 40
NSOCK (0.0940s) msevent_new (IOD #3) (EID #50)
NSOCK (0.0940s) Read request from IOD #3 [208.67.220.220:53] (timeout:
-1ms) EID 50
NSOCK (0.1100s) msevent_new (IOD #4) (EID #56)
NSOCK (0.1100s) UDP connection requested to 208.67.222.222:53 (IOD #4) EID 56
NSOCK (0.1100s) msevent_new (IOD #4) (EID #66)
NSOCK (0.1100s) Read request from IOD #4 [208.67.222.222:53] (timeout:
-1ms) EID 66
NSOCK (0.1100s) msevent_new (IOD #5) (EID #72)
NSOCK (0.1100s) UDP connection requested to 192.168.200.12:53 (IOD #5) EID 72
NSOCK (0.1100s) msevent_new (IOD #5) (EID #82)
NSOCK (0.1100s) Read request from IOD #5 [192.168.200.12:53] (timeout:
-1ms) EID 82
NSOCK (0.1100s) msevent_new (IOD #1) (EID #91)
NSOCK (0.1100s) Write request for 45 bytes to IOD #1 EID 91
[209.163.108.67:53]: .............230.217.67.208.in-addr.arpa.....
NSOCK (0.1100s) nsock_loop() started (timeout=500ms). 11 events pending
NSOCK (0.1100s) wait_for_events
NSOCK (0.1100s) Callback: CONNECT SUCCESS for EID 72 [192.168.200.12:53]
NSOCK (0.1100s) msevent_delete (IOD #5) (EID #72)
NSOCK (0.1100s) Callback: CONNECT SUCCESS for EID 56 [208.67.222.222:53]
NSOCK (0.1100s) msevent_delete (IOD #4) (EID #56)
NSOCK (0.1100s) Callback: CONNECT SUCCESS for EID 40 [208.67.220.220:53]
NSOCK (0.1100s) msevent_delete (IOD #3) (EID #40)
NSOCK (0.1100s) Callback: CONNECT SUCCESS for EID 24 [209.163.108.78:53]
NSOCK (0.1100s) msevent_delete (IOD #2) (EID #24)
NSOCK (0.1100s) Callback: CONNECT SUCCESS for EID 8 [209.163.108.67:53]
NSOCK (0.1100s) msevent_delete (IOD #1) (EID #8)
NSOCK (0.1100s) Callback: WRITE SUCCESS for EID 91 [209.163.108.67:53]
NSOCK (0.1100s) msevent_delete (IOD #1) (EID #91)
NSOCK (0.1100s) wait_for_events
NSOCK (0.2190s) Callback: READ SUCCESS for EID 18 [209.163.108.67:53]
(148 bytes)
NSOCK (0.2190s) msevent_new (IOD #1) (EID #98)
NSOCK (0.2190s) Read request from IOD #1 [209.163.108.67:53] (timeout:
-1ms) EID 98
NSOCK (0.2190s) msevent_delete (IOD #1) (EID #98)
NSOCK (0.2190s) msevent_delete (IOD #2) (EID #34)
NSOCK (0.2190s) msevent_delete (IOD #3) (EID #50)
NSOCK (0.2190s) msevent_delete (IOD #4) (EID #66)
NSOCK (0.2190s) msevent_delete (IOD #5) (EID #82)
NSOCK (0.2190s) msevent_delete (IOD #1) (EID #18)
CONN (0.2190s) TCP localhost > 208.67.217.230:80 => Unknown error
Interesting ports on google.navigation.opendns.com (208.67.217.230):
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds

C:\Documents and Settings\client2\Desktop\nmap-4.76>ipconfig /all

Windows IP Configuration

       Host Name . . . . . . . . . . . . : XXXXXX
       Primary Dns Suffix  . . . . . . . :
       Node Type . . . . . . . . . . . . : Unknown
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : XXXXXXXX.net

Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . : XXXXXXXX.net
       Description . . . . . . . . . . . : Broadcom NetXtreme 57xx
Gigabit Controller
       Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
       Dhcp Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IP Address. . . . . . . . . . . . : 192.168.200.112
       Subnet Mask . . . . . . . . . . . : 255.255.0.0
       Default Gateway . . . . . . . . . : 192.168.200.1
       DHCP Server . . . . . . . . . . . : 192.168.200.11
       DNS Servers . . . . . . . . . . . : 192.168.200.12
                                           208.67.222.222
                                           208.67.220.220
       Lease Obtained. . . . . . . . . . : Tuesday, November 04, 2008 2:03:47 PM
       Lease Expires . . . . . . . . . . : Wednesday, November 05,
2008 2:03:47 PM

PPP adapter {9F8E9972-4524-4531-9CFD-ED81FD62F517}:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
       Physical Address. . . . . . . . . : 00-53-45-00-00-00
       Dhcp Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 209.163.118.135
       Subnet Mask . . . . . . . . . . . : 255.255.255.255
       Default Gateway . . . . . . . . . : 209.163.118.135
       DNS Servers . . . . . . . . . . . : 209.163.108.78
                                           209.163.108.67
       NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : FF-FF-FF-FF-FF-FF-FF-FF
       Dhcp Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%4
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Documents and Settings\client2\Desktop\nmap-4.76>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...XX XX XX XX XX XX ...... Broadcom NetXtreme 57xx Gigabit
Controller - Packet Scheduler Miniport
0x20004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
         0.0.0.0          0.0.0.0    192.168.200.1  192.168.200.112      11
         0.0.0.0          0.0.0.0  209.163.118.135  209.163.118.135      1
       127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     192.168.0.0      255.255.0.0  192.168.200.112  192.168.200.112      10
 192.168.200.112  255.255.255.255        127.0.0.1       127.0.0.1       10
 192.168.200.255  255.255.255.255  192.168.200.112  192.168.200.112      10
  209.163.112.33  255.255.255.255  209.163.118.135  209.163.118.135      1
 209.163.118.135  255.255.255.255        127.0.0.1       127.0.0.1       50
 209.163.118.255  255.255.255.255  209.163.118.135  209.163.118.135      50
       224.0.0.0        240.0.0.0  192.168.200.112  192.168.200.112      10
       224.0.0.0        240.0.0.0  209.163.118.135  209.163.118.135      1
 255.255.255.255  255.255.255.255  192.168.200.112  192.168.200.112      1
 255.255.255.255  255.255.255.255  209.163.118.135  209.163.118.135      1
Default Gateway:   209.163.118.135
===========================================================================
Persistent Routes:
 None

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: