Nmap Development mailing list archives

ping behaviour: too much trust in ICMP unreachable/admin prohibited?

From: Martin Mačok <martin.macok () underground cz>
Date: Fri, 27 Feb 2004 15:21:21 +0100

Using
 nmap -PI -PP -PT21,22,23,53,79 -PS25,80,443,3128,8080 -PU2,32631 TARGET
I got "host down" in 0.4 seconds which bugged me a little (I have
received spam from there several minutes ago) so I have sniffed it and
saw

14:54:41.869721 SOURCE > TARGET: icmp: echo request
14:54:41.870343 SOURCE > TARGET: icmp: time stamp query id 7786 seq 43225
14:54:41.870541 SOURCE.63631 > TARGET.2:  udp 0
14:54:41.870681 SOURCE.63631 > TARGET.32631:  udp 0
14:54:41.870846 SOURCE.63631 > TARGET.ftp: . ack 3593890334 win 2048
14:54:41.871102 SOURCE.63631 > TARGET.ssh: . ack 1819699742 win 1024
14:54:41.871311 SOURCE.63631 > TARGET.telnet: . ack 443968030 win 3072
14:54:41.871478 SOURCE.63631 > TARGET.domain: . ack 2083940894 win 2048
14:54:41.871615 SOURCE.63631 > TARGET.finger: . ack 3359009310 win 2048
14:54:41.871776 SOURCE.63631 > TARGET.smtp: S 1291217438:1291217438(0) win 2048
14:54:41.871911 SOURCE.63631 > TARGET.http: S 322333214:322333214(0) win 1024
14:54:41.872042 SOURCE.63631 > TARGET.https: S 2159438366:2159438366(0) win 2048
14:54:41.872175 SOURCE.63631 > TARGET.squid: S 808872478:808872478(0) win 3072
14:54:41.872306 SOURCE.63631 > TARGET.webcache: S 2457233950:2457233950(0) win 1024
14:54:41.895249 ROUTER > SOURCE: icmp: host TARGET unreachable - admin prohibited filter
14:54:41.968518 TARGET > SOURCE: icmp: echo reply [tos 0x20]

The last two lines are interesting - I received both ICMP unreachable
and then ICMP echo reply. It seems to me that in this case the host should
be considered UP but nmap exits sooner right after accepting ICMP
unreachable so it does not see ICMP echo reply.

I think that nmap should wait for any eventual replies even in the
case of ICMP unreachable (or at least in "admin prohibited" case). If
it get any other "up" response it should consider the host UP and not
down.

Another question is if we want to trust these messages at all. Why not
ignore any explicit "host down" messages? At least, in "admin
prohibited" case - should we trust the "admin" that the filter really
blocks everything?

The only drawback I can think off could be performance - in that case,
there could be an option to turn on/off that behaviour.

Martin Mačok

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org

Current thread:

ping behaviour: too much trust in ICMP unreachable/admin prohibited? Martin Mačok (Feb 27)