Nmap Development mailing list archives

Re: Deny/Reject patch

From: Guillaume Valadon <guillaume () valadon net>
Date: Thu, 25 Oct 2001 20:17:25 +0200

re,

As seen in pen-test mailing list severals weeks ago some people find it
usefull to know the kind of icmp unreachable we eventually got in
response.


Agreed.  It is also useful to know the IP address which the
unreachable came from.


I think it's not as trivial as the first patch i submited but i am
working on it :*)

It seems to be a deeper change to nmap as actually we can 'only' store
state of port and others information but not an IP address.

I don't know how to output the information correctly ...

We can print when we receive the icmp from the target
Port       State       Service
1/tcp      Net Unr.    tcpmux                  

and if it was from another host :
Port       State                       Service
1/tcp      Net Unr. from 192.168.0.5   tcpmux

Please give me ideas :*)

By the way, I have a question : why the lamer udp scan is gone ?


[..]
http://lists.insecure.org/bugtraq/2001/Oct/0140.html :).  On Solaris
it is even less of a problem.


Is this the good link ? (or i didn't understand ...)

On Solaris, ipf and firewall-1 may
send different "destination prohibited by filter" ICMP messages.


A strange thing with my FreeBSD 4.1.1 an ipfilter, i receive two
differents icmp unreachable. If i send a packet to a closed port an to 
a reject port by ipfilter ...

I made some experiments several weeks ago on firewalls fingerprinting
(that is in fact icmp fingerprinting), and i think that we can get
usefull informations from thoses icmp unreachable packet. But as you
notice, there are some problems. 

I didn't think of this as a "real" fingerprint, but more than "hey, i
got an icmp unr. and i can learn you something without sending more
packets so let me explain" (in fact we must also add sound support to 
nmap, if it talks to us :*)

bye,
guillaume
-- 
mailto:guillaume () valadon net
ICQ uin : 1752110

Page ouebe : http://guillaume.valadon.net

     "Everybody be cool. You be cool" - Seth Gecko

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

Current thread:

Deny/Reject patch Guillaume Valadon (Oct 24)
- RE: Deny/Reject patch Ofir Arkin (Oct 24)
- Re: Deny/Reject patch Fyodor (Oct 24)
  - RE: Deny/Reject patch Ofir Arkin (Oct 24)
  - Re: Deny/Reject patch Guillaume Valadon (Oct 25)