Nmap Development mailing list archives
Nmap ICMP Scan Technical Question
From: Andrew Morrison via dev <dev () nmap org>
Date: Wed, 27 May 2020 14:48:08 +0000 (UTC)
I have a technical question on how Nmap uses different ICMP ping and probe types to return information on remote hosts that I hope you would do me a huge favor in answering. I was recently running a segmentation test (authorized, of course) to prepare for a PCI assessment and I've found that this particular network has been hardened against using an Idle scan (I tried to use a shared-service anti-virus managment server open to both CDE and non-CDE networks as the zombie) by a stateful firewall, so I went to look for more scanning options. I've read about the PP and PM switches before, but I've actually never used it because other scan techniques usually got me the information I was looking for. Let's say my scan command was: nmap -PE -PP -PM -oN ICMP-discovery-probes -iL in-scope.txt I understand the -PP switch can return the local timestamp on the remote host and the -PM switch can return the netmask of said remote host. I know I'm scanning Windows machines, so I expected to see ports like 135, 445 and such open if a scan was successful, and I did see those, among many others, but it didn't return so many open ports that I can safely assume some firewall or other device is affecting the scan output or filtering the requests. The scan even returned some ports that were explicitly closed. See an excerpt:21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 135/tcp open msrpc 445/tcp open microsoft-ds 1100/tcp open mctp2006/tcp closed invokator 2191/tcp closed tvbus 2800/tcp closed acc-raid 3389/tcp open ms-wbt-server 8192/tcp open sophos 8193/tcp open sophos 8194/tcp open sophos 8400/tcp open cvd 8402/tcp open abarsd 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown When reading through your host discovery man page on the Nmap website, the section under ICMP Ping Types only says that code 14 and 18 probes "discloses that the host is available". So my question is: I don't understand how Nmap leverages the ICMP probes to identify these open ports. I was under the assumption that ICMP sends a specific code and expects a specific response code from the remote host. Can you perhaps shed a little light on this one? Andrew@enoire3
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Nmap ICMP Scan Technical Question Andrew Morrison via dev (Jun 13)
- Re: Nmap ICMP Scan Technical Question Daniel Miller (Jun 18)
- <Possible follow-ups>
- Re: Nmap ICMP Scan Technical Question Andrew Morrison via dev (Jun 26)
- Re: Nmap ICMP Scan Technical Question Robin Wood (Jun 26)