Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: nmap 5.21 sends protocol unreachable

From: Derek <depierjack () msn com>
Date: Thu, 28 Jan 2010 19:38:50 -0500

I was actually thinking earlier today that maybe it was Windows sending
the packet because it is not expecting the reply, so I then tried it on
a Windows XP machine to see if it was a Windows thing. It seems to be a
Windows 7 specific feature, because the Windows XP PC did NOT send an
ICMP Protocol Unreachable message, in fact it didn't send any packet at
all after receiving the unexpected reply. So with that being said, is
it possible to forge echo, timestamp, or address mask replies to check
for live hosts, not with nmap I know, but with some other network tool?
If not, how difficult would it be to code such a feature into nmap or
just as a stand alone program?

Derek


Date: Thu, 28 Jan 2010 10:18:37 -0700
From: david () bamsoftware com
To: depierjack () msn com
CC: nmap-dev () insecure org
Subject: Re: nmap 5.21 sends protocol unreachable

On Wed, Jan 27, 2010 at 10:17:52PM -0500, Derek wrote:

I am running Windows 7 64-bit and I was curious about how internet
hosts would respond to the three different ICMP pings that nmap
supports, I also had wireshark running while performing these pings. I
noticed that after receiving a reply, I would see ICMP Protocol
Unreachable packets being sent to the replying host from my machine,
while using the windows ping program this did not happen so I am
assuming nmap is sending these packets. So my question is why is nmap
doing this and if not nmap, why is it happening. I have the nmap
network scanning book and I don't recall reading anything about nmap
sending this type of packet, but actually looking for this type of
response when performing an IP protocol scan. Any thoughts would be
appreciated.


Those packets are probably being sent by Windows, not Nmap. When the
remote host sends its replies, Windows is not expecting them because
Nmap bypassed the operating system and crafted them itself. It seems
strange that Windows is sending a protocol unreachable for ICMP instead
of dropping the packets, but that could be how Windows 7 does it for all
I know.

It's a lot like how the operating system of the scanning machine sends
RST packets during a SYN scan. In most cases that's what you want. Look
under figure 5.2 on page 97:

      Nmap could send this RST packet easily enough, but it doesn't
      actually need to. ... The OS running on krad also receives the
      SYN/ACK, which it doesn't expect because Nmap crafted the SYN
      probe itself. So the OS responds to the unexpected SYN/ACK with
      a RST packet.

David Fifield

                                          
_________________________________________________________________
Hotmail: Trusted email with powerful SPAM protection.
http://clk.atdmt.com/GBL/go/196390707/direct/01/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: