Nmap Development mailing list archives
Re: bug in svn 17300
From: David Fifield <david () bamsoftware com>
Date: Thu, 15 Apr 2010 10:32:02 -0600
On Wed, Apr 14, 2010 at 02:07:05PM -0500, Daniel Miller wrote:
Not sure what's going on, but it seems consistent. Run as "sudo nmap -oA nmap.7300.err -d --log-errors --script-trace --packet-trace -v -A -sU 192.168.1.0/24". Error is "Unexpected error in NSE_TYPE_READ callback. Error code: 71 (Protocol error)". Packet capture shows an ICMP error from the target, "IP header bad". I have attached the following: nmap.17300.err.output - last 200 or so lines of output nmap.17300.err.nmap - regular output file nmap.17300.err.xml - XML output nmap.17300.pcap - packet capture of the host and port (192.168.1.20:5000) conversation
This is very interesting. It will be pretty easy to fix, because this is just an error response that no one has seen or reported before. All we need to do is add a handler for EPROTO in service_scan.cc. I'm kind of curious to find out how this could happen. As you noted, a type-12 ICMP error ("Parameter problem") is coming back in response to the Sqlping version probe. It doesn't look like there's anything wrong with the probe to me. My conjecture is that an active IPS or some other mechanism is forging the ICMP error. There's a Snort rule that catches the Sqlping probe: http://www.snort.org/search/sid/2049. Try changing this line of nmap-service-probes: Probe UDP Sqlping q|\x02| to this: Probe UDP Sqlping q|\x03| And see if it still happens. This is just a test of my conjecture and you should change it back afterwards. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- bug in svn 17300 Daniel Miller (Apr 15)
- Re: bug in svn 17300 Daniel Miller (Apr 14)
- Re: bug in svn 17300 David Fifield (Apr 15)
- Message not available
- Message not available
- Re: bug in svn 17300 David Fifield (May 06)
- Re: bug in svn 17300 jah (May 08)
- Re: bug in svn 17300 jah (May 08)
- Re: bug in svn 17300 David Fifield (May 08)
- Re: bug in svn 17300 jah (May 08)
- Message not available