Nmap Development mailing list archives

Re: 24-Hour Beta: Nmap 4.69BETA1

From: "Alan Jones" <asjones987 () gmail com>
Date: Sat, 13 Sep 2008 13:30:34 -0500

I got behind and could not respond but had been thinking there should be a
way to detect this type of issue in Nmap and either say "The traceroute may
not be correct please try the -PE parameter".

Or in an ideal world let Nmap detect it and work around it and tell you it
worked around it.

I am sure I am not the only one with a DSL issue like this.

It seems even more important to look at the options on this issue now that
Zenmap had the map built in.

any thoughts or options that we could consider?


thanks

Alan







On Sun, Sep 7, 2008 at 9:05 PM, Fyodor <fyodor () insecure org> wrote:

On Sun, Sep 07, 2008 at 08:30:40PM -0500, Alan Jones wrote:

TRACEROUTE (using port 22/tcp)
HOP RTT   ADDRESS
1   1.00  home (192.168.x.xx)
2   14.00 adsl-70-xx-x-x.dsl.ltrkar.sbcglobal.net (70.232.xx.xxx)


I think this sbcglobal.net machine (or, possibly, software running on
your own machine) is spoofing the port 80 RST packets "from" scanme.
Maybe SBC is running a transparent web proxy cache on port 80.  ISPs
sometimes do similar things with port 25 as well.  A giveaway is the
responses you received with a TTL of 255, like this:

RCVD (0.2650s) TCP 64.13.134.52:80 > 192.168.1.67:35207 R ttl=255 id=1192
iplen=63  seq=3390443990 win=0

That should only happen if they were generated from the next hop
machine (or from software on your machine itself).

I think this is a good example of how Nmap can help in understanding
and detecting these sorts of network anomalies.  One thing we could
consider doing is making certain ports likely to have such shenanigans
(like tcp 25, 80, and 113) be considered "less desirable" than other
ports by the new Nmap timing ping selector.  But I'm not sure whether
this problem is common enough to merit a special case like that.  And
in any case, these sorts of results are sometimes desirable to better
understand the network.

Cheers,
Fyodor


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

24-Hour Beta: Nmap 4.69BETA1 Fyodor (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 07)
  - Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 07)
    - RE: 24-Hour Beta: Nmap 4.69BETA1 Rob Nicholls (Sep 07)
    - Re: 24-Hour Beta: Nmap 4.69BETA1 David Fifield (Sep 07)
    - Re: 24-Hour Beta: Nmap 4.69BETA1 David Fifield (Sep 07)
    - Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 07)
    - Re: 24-Hour Beta: Nmap 4.69BETA1 Fyodor (Sep 07)
    - Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 13)
    - Re: 24-Hour Beta: Nmap 4.69BETA1 David Fifield (Sep 07)
    - Re: 24-Hour Beta: Nmap 4.69BETA1 David Fifield (Sep 07)
  - Re: 24-Hour Beta: Nmap 4.69BETA1 David Fifield (Sep 07)
    - Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 07)
    - "Nmap Output" tab David Fifield (Sep 07)