Re: Traceroute failure from SVN 15553 on OSX 10.5.8

[Tom Sellers <nmap () fadedcode net>]

David Fifield wrote:
> On Thu, Sep 24, 2009 at 06:13:00AM -0500, Tom Sellers wrote:
> > David Fifield wrote:
> > > Thank you for this report. Does the attached patch fix the problem? It
> > > may be that OS detection is wrongly detecting a distance of 0 for one of
> > > the hosts (whichever follows 192.168.0.253). The traceroute should
> > > always start with a TTL of 1 at the minimum.

> > David - The only host with a legitimate 0 value should be localhost right?
>
> Yes, but, it's possible for the OS detection distance estimation to be
> fooled when intermediate devices fool with TTLs or when routes are not
> parallel. For example, if you send a UDP probe with a TTL of 50, and and
> you get back an ICMP port unreachable containing the UDP packet with a
> TTL of 45, we estimate that there are five hops to the target. That's
> assuming that every router decrements the TTL as it should. If one of
> them doesn't, or if it resets it to some fixed value, the calculation
> will be off. If the ICMP port unreachable comes back with an
> encapsulated TTL of 50, it will look like a distance of 0.
>
> We used to get OS fingerprint submissions with negative claimed
> distances until we made such fingerprints invalid. If you look at recent
> OS fingerprints you'll see that they have a DC (for "distance
> calculation") test that indicates how much to trust the distance. The
> possibilities are DC=L for localhost, DC=D for a direct subnet
> connection, DC=I for an ICMP TTL calculation, and DC=T for a traceroute
> count.

Thanks for the info!

> > Chris - What is the IP the scanning machine?
>
> According to the packet trace it's 192.168.86.3

Wow, after looking back at that packet trace it was pretty obvious.. doh!

Tom






_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org