Re: Fragscan not working?

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/07/2010 01:49 PM, Brandon Enright wrote:
> On Wed, 7 Apr 2010 09:55:59 -0500
> Ron <ron () skullsecurity net> wrote:
>
> > On Wed, 7 Apr 2010 08:51:04 -0600 David Fifield
> > <david () bamsoftware com> wrote:
> > > On Wed, Apr 07, 2010 at 09:30:01AM -0500, Ron wrote:
> > > > My friend reported fragscan (-f) not working on the latest version
> > > > of Nmap. I tried a couple experiments (both against hosts on the
> > > > local network and off the local network) and got absolutely no
> > > > responses (ie, 'no ports open'). 
> > > It works for me against scanme.nmap.org and against the LAN. Did a
> > > previous version of Nmap work for your friend?
> > >
> > > David Fifield
> > Yes, he said that 4.68 or so worked. I just tried scanme.insecure.org
> > from two different computers and it didn't work. they can't scan each
> > other, either, using -f (they're on different subnets on our
> > intranet, but there's no filtering between them). I also tried
> > scanning two systems on the same subnet with no luck. 
> >
> > I can send a packet capture off list, if that would help. This is the
> > output from a test system scanning scanme.insecure.org-- looks like
> > nothing's being received
>
> I seem to have a different problem.  My scans work and I get responses
> back with -f but a quick look with tcpdump shows my packets aren't
> fragmented.  I'm running 2.6.31 mostly vanilla.
>
> If I add --send-eth I do see the fragments go by and the scan also
> works.
>
> I suppose -f should probably imply --send-eth, at least on Linux.

I used -f against a host on my LAN (directly connected) and two hosts across
the internet (google and scanme), and it all seemed to work fine.  I used
Wireshark and --packet-trace to watch the traffic, and Nmap gave me good data
every time.  I even reran using (the unneeded) --send-ip to be sure afterward.

I'm running kernel 2.6.33 coming with Sidux (Debian sid).

> Brandon

Cheers,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJLvRR/AAoJEEQxgFs5kUfu1l0P/3nL1uKJfoRbiZ5T75x2/woN
fwEjeF05nOM1SBjvquQ+vfmPFuaSdPx90g9rZZDc7+xTqiKcXPpHQzEEUwNVc7ex
JHGrpKbJ/Zpy55wJUZac2KRkvs/QqKO9EhyMO2CYwCKFh6H46sBA7Sx3CoQ6d1FX
f5lwPd1qM/JaJI/D5ZuILN4mNbY0WVrAJ30JXGsYaPAsRlIDGG5P0UcuE39BHawM
OzTJDqgztWsGaL8URJ7rxhBSZ5q11ErfJzo4ib0p3GuSNdtDTqMjQMwiMZ/asMdT
aKOrGOKp9KH7WHHjBm+nGIPwoTImpovzd5G9DIGYzVYfu1KSDx/2J7tuq/EpvrEu
Sa/RRJtKsWzH/4LSp+ZrKY+WOjgnlqSj2ynsZ0v0G8ukiR6an3kSwDTLdk3ExB0O
AlI8dkDNHhE8FNq/oU3N4FtBsAVr5DT4Cu+Iubj/B+v4++YZDcyoxfCFePV8B2qJ
AvWhidFLVTkniWNVip2Bu5km4wmkaGXIFXJ80bG492d/esNQgm5MKRiCUJ4WJYvW
Ps6nmrG76WMycqKnKJKEbi+jBezzkJwydV1JO+eRPnFKYOa+dTfTnhL7+ZXWXJy9
uQsHDfHER0gYBUxB8fonhLSLnDY4yxlOrsGYrXsPo4Ut7w/j2h8apjEGY2tlNhX9
76eGia9nGkD5nxbNRLXt
=8aBY
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/