Nmap Development mailing list archives
ICMP Port Unreachable in Host Discovery
From: Will Cladek <william.cladek () nrl navy mil>
Date: Thu, 14 Jun 2007 13:03:39 -0400
Hi, I've encountered an issue with nmap not identifying a host on my network as being up when I attempt to scan it. This particular host is apparently configured to have its firewall send ICMP port unreachable messages for its filtered tcp ports. However, when the nmap host discovery receives this it will still say the host is down. An example scan and tcpdump:
sudo nmap -sP -PA21,22,25,80,443,445,1723 -PS21,22,25,80,443,445,1723 192.168.2.3
Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-14 12:55 EDT Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 Nmap finished: 1 IP address (0 hosts up) scanned in 0.113 seconds 12:55:14.530550 IP 192.168.2.2.46215 > 192.168.2.3.21: . ack 1876403038 win 3072 12:55:14.530583 IP 192.168.2.2.46215 > 192.168.2.3.22: . ack 1876403038 win 3072 12:55:14.530595 IP 192.168.2.2.46215 > 192.168.2.3.25: . ack 542614366 win 4096 12:55:14.530607 IP 192.168.2.2.46215 > 192.168.2.3.80: . ack 3742868318 win 4096 12:55:14.530618 IP 192.168.2.2.46215 > 192.168.2.3.443: . ack 3889668958 win 4096 12:55:14.530631 IP 192.168.2.2.46215 > 192.168.2.3.445: . ack 1473749854 win 3072 12:55:14.530641 IP 192.168.2.2.46215 > 192.168.2.3.1723: . ack 3025642334 win 3072 12:55:14.530651 IP 192.168.2.2.46215 > 192.168.2.3.21: S 4095189854:4095189854(0) win 4096 <mss 1460> 12:55:14.530661 IP 192.168.2.2.46215 > 192.168.2.3.22: S 1540858718:1540858718(0) win 4096 <mss 1460> 12:55:14.530670 IP 192.168.2.2.46215 > 192.168.2.3.25: S 2568463198:2568463198(0) win 4096 <mss 1460> 12:55:14.530680 IP 192.168.2.2.46215 > 192.168.2.3.80: S 1222091614:1222091614(0) win 3072 <mss 1460> 12:55:14.530689 IP 192.168.2.2.46215 > 192.168.2.3.443: S 4288127838:4288127838(0) win 3072 <mss 1460> 12:55:14.530699 IP 192.168.2.2.46215 > 192.168.2.3.445: S 2182587230:2182587230(0) win 1024 <mss 1460> 12:55:14.530709 IP 192.168.2.2.46215 > 192.168.2.3.1723: S 2425856862:2425856862(0) win 4096 <mss 1460> 12:55:14.530980 IP 192.168.2.3 > 192.168.2.2: icmp 48: 192.168.2.3 tcp port 21 unreachable 12:55:14.531014 IP 192.168.2.3 > 192.168.2.2: icmp 48: 192.168.2.3 tcp port 22 unreachable 12:55:14.531024 IP 192.168.2.3 > 192.168.2.2: icmp 48: 192.168.2.3 tcp port 25 unreachable 12:55:14.531033 IP 192.168.2.3 > 192.168.2.2: icmp 48: 192.168.2.3 tcp port 80 unreachable 12:55:14.531041 IP 192.168.2.3 > 192.168.2.2: icmp 48: 192.168.2.3 tcp port 443 unreachable 12:55:14.531050 IP 192.168.2.3 > 192.168.2.2: icmp 48: 192.168.2.3 tcp port 445 unreachable Maybe this is by design, but I'm of the opinion that if the target host itself is sending an ICMP port unreachable message, nmap should consider the host as "up". Thanks, Will _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- ICMP Port Unreachable in Host Discovery Will Cladek (Jun 14)
- Re: ICMP Port Unreachable in Host Discovery Kris Katterjohn (Jun 14)
- Re: ICMP Port Unreachable in Host Discovery Will Cladek (Jun 14)
- Re: ICMP Port Unreachable in Host Discovery Kris Katterjohn (Jun 14)
- Re: ICMP Port Unreachable in Host Discovery Brett Cunningham (Jun 15)
- Re: ICMP Port Unreachable in Host Discovery Will Cladek (Jun 14)
- Re: ICMP Port Unreachable in Host Discovery Kris Katterjohn (Jun 14)