Nmap Development mailing list archives
ping behaviour: too much trust in ICMP unreachable/admin prohibited?
From: Martin Mačok <martin.macok () underground cz>
Date: Fri, 27 Feb 2004 15:21:21 +0100
Using nmap -PI -PP -PT21,22,23,53,79 -PS25,80,443,3128,8080 -PU2,32631 TARGET I got "host down" in 0.4 seconds which bugged me a little (I have received spam from there several minutes ago) so I have sniffed it and saw 14:54:41.869721 SOURCE > TARGET: icmp: echo request 14:54:41.870343 SOURCE > TARGET: icmp: time stamp query id 7786 seq 43225 14:54:41.870541 SOURCE.63631 > TARGET.2: udp 0 14:54:41.870681 SOURCE.63631 > TARGET.32631: udp 0 14:54:41.870846 SOURCE.63631 > TARGET.ftp: . ack 3593890334 win 2048 14:54:41.871102 SOURCE.63631 > TARGET.ssh: . ack 1819699742 win 1024 14:54:41.871311 SOURCE.63631 > TARGET.telnet: . ack 443968030 win 3072 14:54:41.871478 SOURCE.63631 > TARGET.domain: . ack 2083940894 win 2048 14:54:41.871615 SOURCE.63631 > TARGET.finger: . ack 3359009310 win 2048 14:54:41.871776 SOURCE.63631 > TARGET.smtp: S 1291217438:1291217438(0) win 2048 14:54:41.871911 SOURCE.63631 > TARGET.http: S 322333214:322333214(0) win 1024 14:54:41.872042 SOURCE.63631 > TARGET.https: S 2159438366:2159438366(0) win 2048 14:54:41.872175 SOURCE.63631 > TARGET.squid: S 808872478:808872478(0) win 3072 14:54:41.872306 SOURCE.63631 > TARGET.webcache: S 2457233950:2457233950(0) win 1024 14:54:41.895249 ROUTER > SOURCE: icmp: host TARGET unreachable - admin prohibited filter 14:54:41.968518 TARGET > SOURCE: icmp: echo reply [tos 0x20] The last two lines are interesting - I received both ICMP unreachable and then ICMP echo reply. It seems to me that in this case the host should be considered UP but nmap exits sooner right after accepting ICMP unreachable so it does not see ICMP echo reply. I think that nmap should wait for any eventual replies even in the case of ICMP unreachable (or at least in "admin prohibited" case). If it get any other "up" response it should consider the host UP and not down. Another question is if we want to trust these messages at all. Why not ignore any explicit "host down" messages? At least, in "admin prohibited" case - should we trust the "admin" that the filter really blocks everything? The only drawback I can think off could be performance - in that case, there could be an option to turn on/off that behaviour. Martin Mačok --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- ping behaviour: too much trust in ICMP unreachable/admin prohibited? Martin Mačok (Feb 27)