Nmap Development mailing list archives
nmap 3.30 on win32 sending naughty packets to Defense Intelligence Agency
From: "Tom H" <tom () scriptsupport co uk>
Date: Wed, 30 Jul 2003 23:59:17 +0100
Hi, I was watching an ethereal trace of the win32 command line nmap v3.30, while I was scanning a local network for open rpc ports using the following command C:\>nmap -v -p 135 10.0.0.1/24 and noticed that during the scan, nmap sends 2 packets with a destination address of 11.0.0.3, and that these packets are echo replies. The first is sent almost immediately and then next after approximately 12 seconds later. A whois lookup shows that the netblock is owned by Defense Intelligence Agency, Washington, DC. Which is interesting, to say the least. I tested this on a linux box, and the same packets were not observed, so this seems to be a win32 version issue. I also repeated this experiment a number of times on windows 2000 hosts and noticed the same packets produced. so what's going on there then? I've included the information about the packet and the whois result below. Cheers T DUMP FROM FIREWALL OF THE PACKET INFORMATION File Version : 5.00.2195.6717 File Description : NT Kernel & System File Path : C:\WINNT\system32\ntoskrnl.exe Process ID : 8 (Heximal) 8 (Decimal) Connection origin : local initiated Protocol : ICMP Local Address : 10.0.0.3 ICMP Type : 0 (Echo Reply) ICMP Code : 0 Remote Name : Remote Address : 11.0.0.3 Ethernet packet details: Ethernet II (Packet Length: 42) Destination: 00-90-d0-85-97-22 Source: 00-01-02-dc-8b-3e Type: IP (0x0800) Internet Protocol Version: 4 Header Length: 20 bytes Flags: .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset:0 Time to live: 128 Protocol: 0x1 (ICMP - Internet Control Message Protocol) Header checksum: 0x8c23 (Correct) Source: 10.0.0.3 Destination: 11.0.0.3 Internet Control Message Protocol Type: 0 (Echo Reply) Code: 0 Data (4 bytes) Binary dump of the packet: 0000: 00 90 D0 85 97 22 00 01 : 02 DC 8B 3E 08 00 45 00 | .....".....>..E. 0010: 00 1C 02 50 00 00 80 01 : 23 8C 0A 00 00 03 0B 00 | ...P....#....... 0020: 00 03 00 00 08 3F CB 6C : 2C 54 | .....?.l,T WHOIS LOOKUP OF THE IP ADDRESS $whois 11.0.0.3 DoD Intel Information Systems (NET-DODIIS) Defense Intelligence Agency Washington, DC 20301 US Netname: DODIIS Netblock: 11.0.0.0 - 11.255.255.255 Maintainer: DNIC Coordinator: DoD, Network (MIL-HSTMST-ARIN) HOSTMASTER () nic mil (703) 676-1051 (800) 365-3642 (FAX) (703) 676-1749 Record last updated on 26-Sep-1998. Database last updated on 23-Aug-2002 16:56:03 EDT. The information in this WHOIS database is current as of August 23, 2002, and has been retained for historical purposes only. For the most current information, query whois.arin.net or visit http://whois.arin.net. --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- nmap 3.30 on win32 sending naughty packets to Defense Intelligence Agency Tom H (Jul 30)