Nmap Development mailing list archives
Re: 24-Hour Beta: Nmap 4.69BETA1
From: "Alan Jones" <asjones987 () gmail com>
Date: Sat, 13 Sep 2008 13:30:34 -0500
I got behind and could not respond but had been thinking there should be a way to detect this type of issue in Nmap and either say "The traceroute may not be correct please try the -PE parameter". Or in an ideal world let Nmap detect it and work around it and tell you it worked around it. I am sure I am not the only one with a DSL issue like this. It seems even more important to look at the options on this issue now that Zenmap had the map built in. any thoughts or options that we could consider? thanks Alan On Sun, Sep 7, 2008 at 9:05 PM, Fyodor <fyodor () insecure org> wrote:
On Sun, Sep 07, 2008 at 08:30:40PM -0500, Alan Jones wrote:TRACEROUTE (using port 22/tcp) HOP RTT ADDRESS 1 1.00 home (192.168.x.xx) 2 14.00 adsl-70-xx-x-x.dsl.ltrkar.sbcglobal.net (70.232.xx.xxx)I think this sbcglobal.net machine (or, possibly, software running on your own machine) is spoofing the port 80 RST packets "from" scanme. Maybe SBC is running a transparent web proxy cache on port 80. ISPs sometimes do similar things with port 25 as well. A giveaway is the responses you received with a TTL of 255, like this: RCVD (0.2650s) TCP 64.13.134.52:80 > 192.168.1.67:35207 R ttl=255 id=1192 iplen=63 seq=3390443990 win=0 That should only happen if they were generated from the next hop machine (or from software on your machine itself). I think this is a good example of how Nmap can help in understanding and detecting these sorts of network anomalies. One thing we could consider doing is making certain ports likely to have such shenanigans (like tcp 25, 80, and 113) be considered "less desirable" than other ports by the new Nmap timing ping selector. But I'm not sure whether this problem is common enough to merit a special case like that. And in any case, these sorts of results are sometimes desirable to better understand the network. Cheers, Fyodor
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- 24-Hour Beta: Nmap 4.69BETA1 Fyodor (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 07)
- RE: 24-Hour Beta: Nmap 4.69BETA1 Rob Nicholls (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 David Fifield (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 David Fifield (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 Fyodor (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 13)
- Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 David Fifield (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 David Fifield (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 07)
- "Nmap Output" tab David Fifield (Sep 07)