Re: Nmap 4.20ALPHA5: Unable to produce ideal -O2 tests ?

[Brandon Enright <bmenrigh () ucsd edu>]

On Sat, 2006-09-02 at 18:17 -0700, Fyodor wrote:
> Thanks, this helped me narrow it down.  It seems that the problem
> relates to scanning systems which don't respond to the first ICMP echo
> request probe (the one with the bogus code value of 9).  Expect a
> 4.20ALPHA6 release within the hour.  Please let us know if that works
> for you, or not.

Thanks for tracking this down!

I've compiled and tested ALPHA6 and confirmed that it does indeed behave
correctly with the filtered ICMP Type 9 probe.

The dropped type 9 probe wasn't the fault of ether the scanning or
target machines.  It turns out that the Ethernet<-->Wireless (Layer 2,
not a IP hop) bridge I use is filtering these packets.  I ran a cable to
bypass that segment and ALPHA5 started working correctly too.

On a personal network these things can be tested and perhaps fixed but
on other networks, there may be no easy way to determine what probes are
being silently dropped by the network.

I'd like to see the 2nd-gen OS FP database be as clean and free from
network side-affects as possible.  Perhaps one way to do this is to
release a calibrating client.  Something that sits on a remote host and
listens promiscuously to determine if all the different types of probes
can be sent over the network.  Something on insecure.org that users
could test against would be a start.  Something we could download and
test across our own networks would be ideal.  I don't feel comfortable
submitting fingerprints not knowing if some smart router or bridge is
tainting the results.  You could then have a check box on the submission
form say something like "I have used the Nmap tested client to confirm
my network is Nmap friendly."

Brandon


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org