Nmap Development mailing list archives
Re: Re: NMAP scan problems
From: Lord Doskias <lorddoskias () abv bg>
Date: Sun, 4 Mar 2007 12:43:27 +0200 (GMT+02:00)
Your guidance was very very helpful. I did what you recommended and I ended up with some interesting results. When I use connect() type of scan I get port 80 open from google. But when I try the syn-connect scan nmap reports the port as filtered. Here are the result for tcp syn scan. C:\>nmap -sS -P0 -p 80 www.google.com --packet-trace Starting Nmap 4.20 ( http://insecure.org ) at 2007-03-04 12:27 FLE Standard Time Warning: Hostname www.google.com resolves to 4 IPs. Using 209.85.135.103. NSOCK (0.1090s) UDP connection requested to 192.168.201.250:53 (IOD #1) EID 8 NSOCK (0.1090s) Read request from IOD #1 [192.168.201.250:53] (timeout: -1ms) EI D 18 NSOCK (0.1250s) UDP connection requested to 192.168.200.1:53 (IOD #2) EID 24 NSOCK (0.1250s) Read request from IOD #2 [192.168.200.1:53] (timeout: -1ms) EID 34 NSOCK (0.1250s) UDP connection requested to 87.120.131.1:53 (IOD #3) EID 40 NSOCK (0.1250s) Read request from IOD #3 [87.120.131.1:53] (timeout: -1ms) EID 5 0 NSOCK (0.1250s) UDP connection requested to 87.120.131.2:53 (IOD #4) EID 56 NSOCK (0.1250s) Read request from IOD #4 [87.120.131.2:53] (timeout: -1ms) EID 6 6 NSOCK (0.1410s) UDP connection requested to 192.92.192.1:53 (IOD #5) EID 72 NSOCK (0.1410s) Read request from IOD #5 [192.92.192.1:53] (timeout: -1ms) EID 8 2 NSOCK (0.1410s) Write request for 45 bytes to IOD #1 EID 91 [192.168.201.250:53] : E............103.135.85.209.in-addr.arpa..... NSOCK (0.1410s) nsock_loop() started (timeout=500ms). 11 events pending NSOCK (0.1410s) Callback: CONNECT SUCCESS for EID 72 [192.92.192.1:53] NSOCK (0.1410s) Callback: CONNECT SUCCESS for EID 56 [87.120.131.2:53] NSOCK (0.1410s) Callback: CONNECT SUCCESS for EID 40 [87.120.131.1:53] NSOCK (0.1410s) Callback: CONNECT SUCCESS for EID 24 [192.168.200.1:53] NSOCK (0.1410s) Callback: CONNECT SUCCESS for EID 8 [192.168.201.250:53] NSOCK (0.1410s) Callback: WRITE SUCCESS for EID 91 [192.168.201.250:53] NSOCK (0.1410s) Callback: READ SUCCESS for EID 18 [192.168.201.250:53] (216 byte s) NSOCK (0.1410s) Read request from IOD #1 [192.168.201.250:53] (timeout: -1ms) EI D 98 SENT (0.3590s) TCP 87.120.136.237:50399 > 209.85.135.103:80 S ttl=47 id=450 iple n=44 seq=1786596582 win=4096 <mss 1460> SENT (1.3750s) TCP 87.120.136.237:50400 > 209.85.135.103:80 S ttl=59 id=26861 ip len=44 seq=1786531047 win=4096 <mss 1460> Interesting ports on mu-in-f103.google.com (209.85.135.103): PORT STATE SERVICE 80/tcp filtered http Nmap finished: 1 IP address (1 host up) scanned in 2.406 seconds Here is a default scan: C:\>nmap -sS -P0 google.com Starting Nmap 4.20 ( http://insecure.org ) at 2007-03-04 12:31 FLE Standard Tim Warning: Hostname google.com resolves to 3 IPs. Using 64.233.187.99. Stats: 0:00:20 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan All 1697 scanned ports on jc-in-f99.google.com (64.233.187.99) are filtered Nmap finished: 1 IP address (1 host up) scanned in 348.516 seconds Without the -P0 option nmap reports that the machines are down. Any ideas how to "fix" the -sS scan ? Regards.
-------- Оригинално писмо -------- От: Brandon Enright <bmenrigh () ucsd edu> Относно: Re: NMAP scan problems До: Lord Doskias <lorddoskias () abv bg> Изпратено на: Неделя, 2007, Март 4 00:59:54 GMT+02:00 ---------------------------------- On Sat, 3 Mar 2007 21:12:32 +0200 (GMT+02:00) Lord Doskias <lorddoskias () abv bg> wrote:Hello again, I think I've got some clues on the problem. I think the isp is blocking all "malicious" packets - eg. packets that are not from "established" type of connection or that don't seem to establish real one. After all nmap is not using "valid" tcp/udp packets. So is there a way to force nmap to use valid tcp/udp packets? ----------------------------------------------------------------- http://auto-motor-und-sport.bg/ С бензин в кръвтаNmap *does* use "valid" TCP packets for most of the scan types. If it didn't, it would not be able to reliably port scan. Only the "fancier" scans like -s[NFX] or -O[12]? use odd TCP packets to derive useful information. Starting in 4.01 Nmap sets the TCP MSS option to 1460 for all SYN packets. This makes an Nmap connect look nearly identical to any other operating system connect. If you ISP is filtering is it probably based on a rate-limit or a behavior detection. Using -sT (or not running privileged) stop Nmap from cooking it's own packets and it just uses the OS Connect() call. Try: $ telnet www.google.com 80 If that works (and it should) then try: $ nmap -sT -P0 -p 80 www.google.com The two are functionally identical. Nmap should report port 80 as open. You can then start experimenting with things like: # nmap -sS -P0 -p 80 www.google.com or $ nmap -sT -P0 -p 1-100 www.google.com If you get unexpected results from any of these add a --packet-trace to the command to see what is going on. Brandon -- Brandon Enright Network Security Analyst UCSD ACS/Network Operations bmenrigh () ucsd edu _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
----------------------------------------------------------------- http://auto-motor-und-sport.bg/ С бензин в кръвта _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- NMAP scan problems Lord Doskias (Feb 28)
- <Possible follow-ups>
- RE: NMAP scan problems Lord Doskias (Mar 03)
- Re: NMAP scan problems Brandon Enright (Mar 03)
- Re: Re: NMAP scan problems Lord Doskias (Mar 04)