NMAP & "Whacked Packets" :-)

[Daniel Ayers <daniel () netlink net nz>]

Hi,

I use nmap quite a lot as a general scanning tool.  I have had some problems
that I suspect have been mostly caused by the network environment (parts of
the network seem to have more than the occasional packet loss, and that
makes life hard for scanners).

I've looked through the nmap code and compiled a version with debugging
enabled ("#define DEBUGGING 1" in nmap.h).  I've spent some time looking at
the debugging output.

I should also mention that I usually run scans in parallel.  I tend to split
up the address space to be scanned into 5-10 chunks, and then run all those
chunks in parallel (from the same host).

I also scan hosts in bands of 2000 ports.  This is to reduce the effect of
lossy networks.  If there are enough drops, nmap will iterate the scan until
there are fewer drops or until it gives up after 20 attempts.  By scanning
the 64k port space 2000 ports at a time, the probability of massive (and
possibly endsless) rescans of 64k ports is eliminated.

Its also worth pointing out that there tends to be packet filters in between
me and what I'm scanning.  The packet filters are almost always static
filters and they usually do not send ICMP unreachables.  Therefore most
ports appear unresponsive.  (By implication, this scanning is blind brute
force.  No ICMP/TCP pinging, just a SYN stalth scan of 64k TCP ports on each
IP).

Now, the problem... :-)

Sometimes the scans just don't work.  They yield completely incorrect
results, usually showing no open ports at all when there are ports open.
Sometimes a rescan using simpler parameters (nmap -sS -O -P0 -p1-1024 ...)
will work OK.

I have a script that writes the appropriate nmap commands to split up the
scan space into bands of 2000 ports and then "n" parallel streams.  That
script produces nmap command lines like this:

nmap -vv -sS -P0 -O -p1-2000  -o file1 -m file2  A.B.C.D

(where A.B.C.D is a single numeric IP address).

Later, that same IP will be scanned further using:

nmap -vv -sS -P0 -p2001-4000  -o file1 -m file2  A.B.C.D

nmap -vv -sS -P0 -p4001-6000  -o file1 -m file2  A.B.C.D

(etc)


When the scans don't work, the debugging output includes many lines of the
form:

Whacked packet to port 215 passed to posportupdate with state 16
Whacked packet to port 401 passed to posportupdate with state 16
Whacked packet to port 1509 passed to posportupdate with state 16
Whacked packet to port 522 passed to posportupdate with state 16
Whacked packet to port 2 passed to posportupdate with state 16
Whacked packet to port 456 passed to posportupdate with state 16
Whacked packet to port 971 passed to posportupdate with state 16
Whacked packet to port 1428 passed to posportupdate with state 16
Whacked packet to port 1835 passed to posportupdate with state 16
Whacked packet to port 100 passed to posportupdate with state 16
Whacked packet to port 270 passed to posportupdate with state 16


There are also a number of these messages:

Illegal ICMP type/code 3/1 unreachable packet:
Here it is:
3  1  3D D    0  0  0  0    45 0  0  3C   38 3A 0  0  
3A 6  D3 F0   XX XX XX XX   XX XX XX XX   DE A3 99 79 
8C 9C BB 37   

(IP addresses removed to protect the innocent :-)

My guess is that the ICMP messages are a result of parallel scans.  I'm not
sure about the "Whacked packet" messages.  I wonder if I'm doing something
that nmap wasn't designed to handle (lots of parallel scans, maybe they're
getting each other's responses confused?) or maybe there is a problem in
nmap?  State 16 is PORT_FRESH, suggesting to me that one invocation of nmap
is seeing responses its not expecting, or a logic problem in the program.

Any assistance/suggestions would be appreciated.

Thanks,
Daniel.


------------------------------------------------------------------------------
Daniel Ayers ZL2UTV, B.Sc (Hons), M.Sc       Email: daniel.ayers () netlink co nz
Network Security Specialist              DDI Phone: +64-4-494-6165
Netlink                                        Fax: +64-4-494-6150
23 Waring Taylor St, PO Box 5358            Mobile: +64-21-387-334
Wellington, New Zealand                        URL: http://www.netlink.co.nz