Nmap Development mailing list archives
RE: nmap 5.21 sends protocol unreachable
From: Derek <depierjack () msn com>
Date: Thu, 28 Jan 2010 19:38:50 -0500
I was actually thinking earlier today that maybe it was Windows sending the packet because it is not expecting the reply, so I then tried it on a Windows XP machine to see if it was a Windows thing. It seems to be a Windows 7 specific feature, because the Windows XP PC did NOT send an ICMP Protocol Unreachable message, in fact it didn't send any packet at all after receiving the unexpected reply. So with that being said, is it possible to forge echo, timestamp, or address mask replies to check for live hosts, not with nmap I know, but with some other network tool? If not, how difficult would it be to code such a feature into nmap or just as a stand alone program? Derek
Date: Thu, 28 Jan 2010 10:18:37 -0700 From: david () bamsoftware com To: depierjack () msn com CC: nmap-dev () insecure org Subject: Re: nmap 5.21 sends protocol unreachable On Wed, Jan 27, 2010 at 10:17:52PM -0500, Derek wrote:I am running Windows 7 64-bit and I was curious about how internet hosts would respond to the three different ICMP pings that nmap supports, I also had wireshark running while performing these pings. I noticed that after receiving a reply, I would see ICMP Protocol Unreachable packets being sent to the replying host from my machine, while using the windows ping program this did not happen so I am assuming nmap is sending these packets. So my question is why is nmap doing this and if not nmap, why is it happening. I have the nmap network scanning book and I don't recall reading anything about nmap sending this type of packet, but actually looking for this type of response when performing an IP protocol scan. Any thoughts would be appreciated.Those packets are probably being sent by Windows, not Nmap. When the remote host sends its replies, Windows is not expecting them because Nmap bypassed the operating system and crafted them itself. It seems strange that Windows is sending a protocol unreachable for ICMP instead of dropping the packets, but that could be how Windows 7 does it for all I know. It's a lot like how the operating system of the scanning machine sends RST packets during a SYN scan. In most cases that's what you want. Look under figure 5.2 on page 97: Nmap could send this RST packet easily enough, but it doesn't actually need to. ... The OS running on krad also receives the SYN/ACK, which it doesn't expect because Nmap crafted the SYN probe itself. So the OS responds to the unexpected SYN/ACK with a RST packet. David Fifield
_________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. http://clk.atdmt.com/GBL/go/196390707/direct/01/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- nmap 5.21 sends protocol unreachable Derek (Jan 28)
- Re: nmap 5.21 sends protocol unreachable David Fifield (Jan 28)
- RE: nmap 5.21 sends protocol unreachable Derek (Jan 28)
- Re: nmap 5.21 sends protocol unreachable David Fifield (Jan 28)
- RE: nmap 5.21 sends protocol unreachable Derek (Jan 30)
- Re: nmap 5.21 sends protocol unreachable David Fifield (Jan 30)
- RE: nmap 5.21 sends protocol unreachable Derek (Jan 28)
- Re: nmap 5.21 sends protocol unreachable David Fifield (Jan 28)