Re: Force TCP traceroute

[Jochen Bartl <jochenbartl () mailbox org>]

> Is this port actually responding (closed/open)? What does --packet-trace
> say?

The port is actually in the "filtered" state, because the firewall in
front of it is just dropping the packets on port tcp/3389. I have access
to the server and the firewall.

My intention was to use Nmap and see how close I can get with the tcp
destination port to the target and be able to spot where the firewall
could be in the path.

I've used Scapy, lft and tcptrace for that and thought it would be nice
to be able to do that with Nmap too.

Here is the packet-trace including -vvv and -ddd:

nmap -sS -n -Pn -PS3389 --traceroute -p 3389 --packet-trace -vvv -ddd
w.x.y.z

Starting Nmap 6.47 ( http://nmap.org ) at 2015-10-16 23:56 CEST
Fetchfile found /usr/bin/../share/nmap/nmap-services
Fetchfile found /usr/bin/../share/nmap/nmap.xsl
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Fetchfile found /usr/bin/../share/nmap/nmap-payloads
Initiating Ping Scan at 23:56
Scanning www.example.com (w.x.y.z) [1 port]
Packet capture filter (device eth0): dst host y.y.y.y and (icmp or icmp6
or ((tcp or udp or sctp) and (src host w.x.y.z)))
SENT (0.1699s) TCP [y.y.y.y:38182 > w.x.y.z:3389 S seq=2143877242 ack=0
off=6 res=0 win=1024 csum=0xCB44 urp=0 <mss 1460>] IP [ver=4 ihl=5
tos=0x00 iplen=44 id=59112 foff=0 ttl=56 proto=6 csum=0xeda8]
**TIMING STATS** (0.1700s): IP, probes
active/freshportsleft/retry_stack/outstanding/retranwait/onbench,
cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 1000000/-1/-1
Current sending rates: 13.98 packets / s, 615.11 bytes / s.
Overall sending rates: 13.98 packets / s, 615.11 bytes / s.
SENT (1.1710s) TCP [y.y.y.y:38183 > w.x.y.z:3389 S seq=2143942779 ack=0
off=6 res=0 win=1024 csum=0xCB41 urp=0 <mss 1460>] IP [ver=4 ihl=5
tos=0x00 iplen=44 id=14557 foff=0 ttl=50 proto=6 csum=0xa1b4]
**TIMING STATS** (1.1712s): IP, probes
active/freshportsleft/retry_stack/outstanding/retranwait/onbench,
cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 1000000/-1/-1
Current sending rates: 1.86 packets / s, 82.03 bytes / s.
Overall sending rates: 1.86 packets / s, 82.03 bytes / s.
**TIMING STATS** (2.1720s): IP, probes
active/freshportsleft/retry_stack/outstanding/retranwait/onbench,
cwnd/ssthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 0/*/*/*/*/* 10.00/75/* 1000000/-1/-1
Current sending rates: 0.96 packets / s, 42.44 bytes / s.
Overall sending rates: 0.96 packets / s, 42.44 bytes / s.
ultrascan_host_probe_update called for machine w.x.y.z state UNKNOWN ->
HOST_DOWN (trynum 1 time: 1003560)
Moving w.x.y.z to completed hosts list with 1 outstanding probe.
Completed Ping Scan at 23:56, 2.08s elapsed (1 total hosts)
Overall sending rates: 0.96 packets / s, 42.39 bytes / s.
pcap stats: 0 packets received by filter, 0 dropped by kernel.
Nmap scan report for www.example.com (w.x.y.z) [host down, received
no-response]
Read from /usr/bin/../share/nmap: nmap-payloads nmap-services.
Note: Host seems down. If it is really up, but blocking our ping probes,
try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.22 seconds
           Raw packets sent: 2 (88B) | Rcvd: 0 (0B)

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/