nmap 3.30 on win32 sending naughty packets to Defense Intelligence Agency

["Tom H" <tom () scriptsupport co uk>]

Hi,

I was watching an ethereal trace of the win32 command line nmap v3.30, while I was scanning a 
local network for open rpc ports using the following command
C:\>nmap -v -p 135 10.0.0.1/24
and noticed that during the scan, nmap sends 2 packets with a destination address
of 11.0.0.3, and that these packets are echo replies. The first is sent almost immediately
and then next after approximately 12 seconds later.
A whois lookup shows that the netblock is owned by Defense Intelligence Agency, 
Washington, DC. Which is interesting, to say the least.

I tested this on a linux box, and the same packets were not observed, so this seems to be
a win32 version issue. I also repeated this experiment a number of times on windows 2000
hosts and noticed the same packets produced.

so what's going on there then? I've included the information about the packet and the
whois result below.

Cheers

T

DUMP FROM FIREWALL OF THE PACKET INFORMATION 

File Version :          5.00.2195.6717
File Description :      NT Kernel & System
File Path :             C:\WINNT\system32\ntoskrnl.exe
Process ID :            8 (Heximal) 8 (Decimal)

Connection origin :     local initiated
Protocol :              ICMP
Local Address :         10.0.0.3
ICMP Type :             0 (Echo Reply)
ICMP Code :             0 
Remote Name :                   
Remote Address :        11.0.0.3

Ethernet packet details:
Ethernet II (Packet Length: 42)
        Destination:    00-90-d0-85-97-22
        Source:         00-01-02-dc-8b-3e
Type: IP (0x0800)
Internet Protocol
        Version: 4
        Header Length: 20 bytes
        Flags:
                .0.. = Don't fragment: Not set
                ..0. = More fragments: Not set
        Fragment offset:0
        Time to live: 128
        Protocol: 0x1 (ICMP - Internet Control Message Protocol)
        Header checksum: 0x8c23 (Correct)
        Source: 10.0.0.3
        Destination: 11.0.0.3
Internet Control Message Protocol
        Type: 0 (Echo Reply)
        Code: 0
        Data (4 bytes)

Binary dump of the packet:
0000:  00 90 D0 85 97 22 00 01 : 02 DC 8B 3E 08 00 45 00 | .....".....>..E.
0010:  00 1C 02 50 00 00 80 01 : 23 8C 0A 00 00 03 0B 00 | ...P....#.......
0020:  00 03 00 00 08 3F CB 6C : 2C 54                   | .....?.l,T      

WHOIS LOOKUP OF THE IP ADDRESS

$whois 11.0.0.3

DoD Intel Information Systems (NET-DODIIS)
   Defense Intelligence Agency
   Washington, DC 20301
   US

   Netname: DODIIS
   Netblock: 11.0.0.0 - 11.255.255.255
   Maintainer: DNIC

   Coordinator:
      DoD, Network  (MIL-HSTMST-ARIN)  HOSTMASTER () nic mil
      (703) 676-1051 (800) 365-3642 (FAX) (703) 676-1749

   Record last updated on 26-Sep-1998.
   Database last updated on  23-Aug-2002 16:56:03 EDT.
The information in this WHOIS database is current as of August 23, 2002,
and has been retained for historical purposes only. For the most current
information, query whois.arin.net or visit http://whois.arin.net.


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).