Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nmap does not perform reliable scans on Solaris 11

From: David Fifield <david () bamsoftware com>
Date: Tue, 20 Mar 2012 00:26:37 -0700
On Sat, May 21, 2011 at 12:08:19AM -0700, David Fifield wrote:

On Mon, May 16, 2011 at 08:46:06PM +0200, Giovanni Schmid wrote:

 Hi,

I tested Nmap 5.21 on Oracle Solaris 11 and found that it only
apparently works. Actually, many different scan sessions (with
different options and  targets) got wrong results. For ex., the
following scan is related to a host with 22/tcp (SSH) and  111/tcp
(rpcbind) open; however the two services are not detected. Morever,
turning off the -PN  option results in an host apparently blocking up
ping probes. This is not the case, instead.

# nmap -A 172.16.3.42

Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-05-16 20:13 CEST
Note: Host seems down. If it is really up, but blocking our ping probes,  
try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 3.60 seconds

# nmap -PN -A 172.16.3.42

Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-05-16 20:14 CEST
Nmap scan report for 172.16.3.42
Host is up.
All 1000 scanned ports on 172.16.3.42 are filtered
Too many fingerprints match this host to give specific OS details

TRACEROUTE (using proto 1/icmp)
HOP RTT    ADDRESS
1   ... 30

# nmap -PN -sS 172.16.3.42

Starting Nmap 5.21 ( http://nmap.org/ ) at 2011-05-16 20:34 CEST
Nmap scan report for 172.16.3.42
Host is up.
All 1000 scanned ports on 172.16.3.42 are filtered

Nmap done: 1 IP address (1 host up) scanned in 201.16 seconds


Thank you for reporting this. We need some more information from you. Do
the wrong results happen every time, or only sometimes? Is it only this
IP address that has the problem, or other LAN addresses, or all
addresses?

It looks like you are getting no reponses at all from the target. Is
there a firewall or something similar in the way? What output do you see
when you run the command
      ssh -v 172.16.3.42


I recently had occasion to do some additional testing on Solaris, and
what I found is that Solaris 11 uses a different packet capture than
Solaris 10 does. Namely Solaris 11 uses BPF and Solaris 10 uses DLPI.
This means that we need to activate our platform-specific code that
knows about BPF on this platform.

The attached patch was enough to make it work for me. I will add a TODO
item to install a more permanent fix.

David Fifield

Attachment: solaris-11-selectable-fd.patch
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: