Re: Re: NMAP scan problems

[Lord Doskias <lorddoskias () abv bg>]

Your guidance was very very helpful. I did what you recommended and I ended up with some interesting results. When I 
use connect() type of scan I get port 80 open from google. But when I try the syn-connect scan nmap reports the port as 
filtered. Here are the result for tcp syn scan. 


C:\>nmap -sS -P0 -p 80 www.google.com --packet-trace

Starting Nmap 4.20 ( http://insecure.org ) at 2007-03-04 12:27 FLE Standard Time

Warning: Hostname www.google.com resolves to 4 IPs. Using 209.85.135.103.
NSOCK (0.1090s) UDP connection requested to 192.168.201.250:53 (IOD #1) EID 8
NSOCK (0.1090s) Read request from IOD #1 [192.168.201.250:53] (timeout: -1ms) EI
D 18
NSOCK (0.1250s) UDP connection requested to 192.168.200.1:53 (IOD #2) EID 24
NSOCK (0.1250s) Read request from IOD #2 [192.168.200.1:53] (timeout: -1ms) EID
34
NSOCK (0.1250s) UDP connection requested to 87.120.131.1:53 (IOD #3) EID 40
NSOCK (0.1250s) Read request from IOD #3 [87.120.131.1:53] (timeout: -1ms) EID 5
0
NSOCK (0.1250s) UDP connection requested to 87.120.131.2:53 (IOD #4) EID 56
NSOCK (0.1250s) Read request from IOD #4 [87.120.131.2:53] (timeout: -1ms) EID 6
6
NSOCK (0.1410s) UDP connection requested to 192.92.192.1:53 (IOD #5) EID 72
NSOCK (0.1410s) Read request from IOD #5 [192.92.192.1:53] (timeout: -1ms) EID 8
2
NSOCK (0.1410s) Write request for 45 bytes to IOD #1 EID 91 [192.168.201.250:53]
: E............103.135.85.209.in-addr.arpa.....
NSOCK (0.1410s) nsock_loop() started (timeout=500ms). 11 events pending
NSOCK (0.1410s) Callback: CONNECT SUCCESS for EID 72 [192.92.192.1:53]
NSOCK (0.1410s) Callback: CONNECT SUCCESS for EID 56 [87.120.131.2:53]
NSOCK (0.1410s) Callback: CONNECT SUCCESS for EID 40 [87.120.131.1:53]
NSOCK (0.1410s) Callback: CONNECT SUCCESS for EID 24 [192.168.200.1:53]
NSOCK (0.1410s) Callback: CONNECT SUCCESS for EID 8 [192.168.201.250:53]
NSOCK (0.1410s) Callback: WRITE SUCCESS for EID 91 [192.168.201.250:53]
NSOCK (0.1410s) Callback: READ SUCCESS for EID 18 [192.168.201.250:53] (216 byte
s)
NSOCK (0.1410s) Read request from IOD #1 [192.168.201.250:53] (timeout: -1ms) EI
D 98
SENT (0.3590s) TCP 87.120.136.237:50399 > 209.85.135.103:80 S ttl=47 id=450 iple
n=44  seq=1786596582 win=4096 <mss 1460>
SENT (1.3750s) TCP 87.120.136.237:50400 > 209.85.135.103:80 S ttl=59 id=26861 ip
len=44  seq=1786531047 win=4096 <mss 1460>
Interesting ports on mu-in-f103.google.com (209.85.135.103):
PORT   STATE    SERVICE
80/tcp filtered http

Nmap finished: 1 IP address (1 host up) scanned in 2.406 seconds


Here is a default scan:

C:\>nmap -sS -P0 google.com

Starting Nmap 4.20 ( http://insecure.org ) at 2007-03-04 12:31 FLE Standard Tim

Warning: Hostname google.com resolves to 3 IPs. Using 64.233.187.99.
Stats: 0:00:20 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan

All 1697 scanned ports on jc-in-f99.google.com (64.233.187.99) are filtered

Nmap finished: 1 IP address (1 host up) scanned in 348.516 seconds

Without the -P0 option nmap reports that the machines are down. Any ideas how to "fix" the -sS scan ?

Regards.
> -------- Оригинално писмо --------
> От:  Brandon Enright <bmenrigh () ucsd edu>
> Относно: Re: NMAP scan problems
> До: Lord Doskias <lorddoskias () abv bg>
> Изпратено на: Неделя, 2007, Март 4 00:59:54 GMT+02:00
> ----------------------------------
>
> On Sat, 3 Mar 2007 21:12:32 +0200 (GMT+02:00)
> Lord Doskias <lorddoskias () abv bg> wrote:
>
> > Hello again, 
> >
> >
> > I think I've got some clues on the problem. I think the isp is blocking
> > all "malicious" packets - eg. packets that are not from "established"
> > type of connection or that don't seem to establish real one. After all
> > nmap is not using "valid" tcp/udp packets. So is there a way to force
> > nmap to use valid tcp/udp packets?
> >
> > -----------------------------------------------------------------
> > http://auto-motor-und-sport.bg/ 
> > С бензин в кръвта
>
> Nmap *does* use "valid" TCP packets for most of the scan types.  If it
> didn't, it would not be able to reliably port scan.  Only the "fancier"
> scans like -s[NFX] or -O[12]? use odd TCP packets to derive useful
> information.
>
> Starting in 4.01 Nmap sets the TCP MSS option to 1460 for all SYN packets.
> This makes an Nmap connect look nearly identical to any other operating
> system connect.  If you ISP is filtering is it probably based on a
> rate-limit or a behavior detection.  Using -sT (or not running
> privileged) stop Nmap from cooking it's own packets and it just uses the OS
> Connect() call.
>
> Try:
>
> $ telnet www.google.com 80
>
> If that works (and it should) then try:
>
> $ nmap -sT -P0 -p 80 www.google.com
>
> The two are functionally identical.  Nmap should report port 80 as open.
>
> You can then start experimenting with things like:
>
> # nmap -sS -P0 -p 80 www.google.com
>
> or
>
> $ nmap -sT -P0 -p 1-100 www.google.com
>
>
> If you get unexpected results from any of these add a --packet-trace to the
> command to see what is going on.
>
> Brandon
>
>
> -- 
> Brandon Enright
> Network Security Analyst
> UCSD ACS/Network Operations
> bmenrigh () ucsd edu
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org

-----------------------------------------------------------------
http://auto-motor-und-sport.bg/ 
С бензин в кръвта

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org