Nmap Development mailing list archives
Re: Deny/Reject patch
From: Fyodor <fyodor () insecure org>
Date: Wed, 24 Oct 2001 15:46:45 -0700
On Wed, Oct 24, 2001 at 10:29:02PM +0200, Guillaume Valadon wrote:
As seen in pen-test mailing list severals weeks ago some people find it usefull to know the kind of icmp unreachable we eventually got in response.
Agreed. It is also useful to know the IP address which the unreachable came from.
By the way, I have a question : why the lamer udp scan is gone ?
Unfortunately it was not sufficiently reliable. If you really want to try it, you can use an older version of Nmap. But for UDP scans, root access helps tremendously. Usually that is not a problem. If you don't have root for some reason, try http://lists.insecure.org/bugtraq/2001/Oct/0140.html :). On Solaris it is even less of a problem.
To conclude this mail, i want to start a talk about the utility to fingerprints system with these icmp unreachable (if we got them, let's use them, it can't kill us), i worked a little on this topic and i still think it can "easily" be done.
Well one issue is that they are often sent by other machines rather than the actual destination -- so fingerprinting that doesn't help. In some cases, filters can even forge the packets to make them look like they came from the destination host. And even when the packets really do come from target host, the actual packets may depend on the firewalling software being used. On Solaris, ipf and firewall-1 may send different "destination prohibited by filter" ICMP messages. An vice versa: ipf may send the same packet whether it is running on Solaris or Linux. I haven't done a whole lot of experimentation, but those are the risks that come to mind. This is one reason that Nmap is pretty picky about what kinds of ICMP messages are used for fingerprints. Some people seem to think that Nmap only uses TCP and IP characteristics for fingerprinting. But ICMP *is* used where it seems to work well. Probably at least 15% of the tests are ICMP-based and this has been true since the beginning. Cheers, -F --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Deny/Reject patch Guillaume Valadon (Oct 24)
- RE: Deny/Reject patch Ofir Arkin (Oct 24)
- Re: Deny/Reject patch Fyodor (Oct 24)
- RE: Deny/Reject patch Ofir Arkin (Oct 24)
- Re: Deny/Reject patch Guillaume Valadon (Oct 25)