Nmap Development mailing list archives

Re: Variety of bugs in nmap-4.20

From: "DePriest, Jason R." <jrdepriest () gmail com>
Date: Tue, 19 Jun 2007 12:42:29 -0500

On 6/19/07, Chris Drake <> wrote:

Hi,

I'm Running the latest nmap-4.20 built from source
on RedHas AS4 update 4

Linux 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:27:17 EDT 2006 i686 i686 i386 GNU/Linux


I'm running the latest official ALPHA 4.21ALPHA4 built from source on
a Debian/GNU Etch system.

Linux ebizsrvb 2.6.18-4-686 #1 SMP Wed Apr 18 09:55:10 UTC 2007 i686 GNU/Linux


1. I specifically ask it to send one ICMP echo request, however, it
   sends none, instead sending only an ARP:


# /usr/bin/nmap -n --packet_trace -sP -PE  123.123.252.164

Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-19 14:56 UTC
SENT (0.0370s) ARP who-has 123.123.252.164 tell 123.123.252.162
RCVD (0.0390s) ARP reply 123.123.252.164 is-at 00:0C:29:DA:5E:9F
Host 123.123.252.164 appears to be up.
MAC Address: 00:0C:29:DA:5E:9F (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 0.150 seconds

# ping 123.123.252.164
PING 123.123.252.164 (123.123.252.164) 56(84) bytes of data.
64 bytes from 123.123.252.164: icmp_seq=0 ttl=64 time=5.16 ms
64 bytes from 123.123.252.164: icmp_seq=1 ttl=64 time=0.717 ms


I cannot recreate this one.

jrdepriest@ebizsrvb:~$ sudo nmap -n --packet_trace -sP -PE 10.226.41.224
Password:

Starting Nmap 4.21ALPHA4 ( http://insecure.org ) at 2007-06-19 12:26 CDT
SENT (0.0910s) ICMP 10.226.24.50 > 10.226.41.224 Echo request
(type=8/code=0) ttl=39 id=12539 iplen=28
RCVD (0.0910s) ICMP 10.226.41.224 > 10.226.24.50 Echo reply
(type=0/code=0) ttl=127 id=2743 iplen=28
Host 10.226.41.224 appears to be up.
Nmap finished: 1 IP address (1 host up) scanned in 0.206 seconds



2. I attempt to send a single UDP packet, but
   2a - it sends 2 packets
   2b - it parses the --host_timeout switch wrongly (curious: works OK
        on a "RedHat AS4u4 "full" non-SELinux install, but fails on a
        vmware RedHat AS4u4 "minimal" SELinux install.)

# /usr/bin/nmap -n --packet_trace -P0 -sU -p 53  --host_timeout 5000 --data_length 1 203.123.123.131
host-timeout is given in milliseconds, so you specified less than 15 seconds (0ms). This is allowed but not 
recommended.

Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-19 14:59 UTC
SENT (0.0380s) UDP 123.123.252.162:48152 > 203.123.123.131:53 ttl=48 id=52931 iplen=29
SENT (1.0470s) UDP 123.123.252.162:48153 > 203.123.123.131:53 ttl=42 id=51814 iplen=29
Interesting ports on 203.123.123.131:
Unable to find nmap-services!  Resorting to /etc/services
PORT   STATE         SERVICE
53/udp open|filtered domain

Nmap finished: 1 IP address (1 host up) scanned in 2.130 seconds
[root@vm4-DidTheyReadIt bin]#


This one on the other hand does the same for me.  It correctly
recognizes the time as being less than 1500ms or less than 15s, it
just displays the time as 0ms in the warning.  So cosmetic more than
functional.

I don't think '--data-length' (Append random data to sent packets)
does what you think it does.  Try '--max-retries 0'


3. (Cosmetic) It tells me to use -P0 when I'm already using -P0

# /usr/bin/nmap -P0 -n --packet_trace -sP -PE  123.123.252.163

Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-19 14:57 UTC
SENT (0.0610s) ARP who-has 123.123.252.163 tell 123.123.252.162
SENT (0.1700s) ARP who-has 123.123.252.163 tell 123.123.252.162
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 0.320 seconds


Dunno about this one.  Yes, that is what it does.  I usually just
ignore that and move on.  But it does seem a little wonky to tell you
to try what you just did.







Kind Regards,
Chris Drake


So, try out 4.21ALPHA4 to get around your first issue.

Or get funky and grab the SVN.

Hope this helps!

-Jason

-- 
NOTICE:  This email is being sent in clear-text across the public
Internet.  Therefore, any attempts to include unenforceable legalese
restrictions are ridiculous and pointless.  If you can read this,
consider yourself authorized (whether I like it or not).

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Variety of bugs in nmap-4.20 Chris Drake (Jun 19)
- Re: Variety of bugs in nmap-4.20 DePriest, Jason R. (Jun 19)
- Re: Variety of bugs in nmap-4.20 Brandon Enright (Jun 19)
  - Re[2]: Variety of bugs in nmap-4.20 Chris Drake (Jun 19)
- Re: Variety of bugs in nmap-4.20 Professor Messer (Jun 19)
  - Re[2]: Variety of bugs in nmap-4.20 Chris Drake (Jun 19)
    - Re: Variety of bugs in nmap-4.20 Professor Messer (Jun 19)
    - Re: Variety of bugs in nmap-4.20 Fyodor (Jun 19)
- Re: Variety of bugs in nmap-4.20 Fyodor (Jun 19)