Nmap Development mailing list archives
Re: icmpprotohack question
From: Fyodor <fyodor () insecure org>
Date: Sun, 25 Jun 2006 14:05:31 -0700
On Wed, Jun 14, 2006 at 02:24:25PM +0200, Eddie Bell wrote:
In scan_engine.cc at the bottom of get_pcap_results() there a block of code, used in protocol scans, that seems to set icmp as open if nmap receives any icmp packet. I set up a firewall rule to drop all ICMP packets but nmap still says icmp is open because it receives protocol unreachable messages. Should the code not test the type of icmp message to determine if icmp is open or closed? Surely receiving a protocol unreachable message for icmp should automatically negate icmp from being open
Well, this only applies for cases where the ICMP message comes from the target host itself (not some intermediate firewall). So if the target sends an ICMP message back in response to a protocol scan, Nmap considers ICMP to be open regardless of what sort of ICMP message was sent. Clearly the machine knows how to deal with some ICMP messages (or else an intermediate host spoofed the packet). Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- icmpprotohack question Eddie Bell (Jun 14)
- Re: icmpprotohack question Fyodor (Jun 25)