Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Deny/Reject patch

From: Fyodor <fyodor () insecure org>
Date: Wed, 24 Oct 2001 15:46:45 -0700
On Wed, Oct 24, 2001 at 10:29:02PM +0200, Guillaume Valadon wrote:


As seen in pen-test mailing list severals weeks ago some people find it
usefull to know the kind of icmp unreachable we eventually got in
response.


Agreed.  It is also useful to know the IP address which the
unreachable came from.


By the way, I have a question : why the lamer udp scan is gone ? 


Unfortunately it was not sufficiently reliable.  If you really want to
try it, you can use an older version of Nmap.  But for UDP scans, root
access helps tremendously.  Usually that is not a problem.   If you
don't have root for some reason, try
http://lists.insecure.org/bugtraq/2001/Oct/0140.html :).  On Solaris
it is even less of a problem.


To conclude this mail, i want to start a talk about the utility to
fingerprints system with these icmp unreachable (if we got them, let's
use them, it can't kill us), i worked a little on this topic and i still
think it can "easily" be done.


Well one issue is that they are often sent by other machines rather
than the actual destination -- so fingerprinting that doesn't help.
In some cases, filters can even forge the packets to make them look
like they came from the destination host.  And even when the packets
really do come from target host, the actual packets may depend on the
firewalling software being used.  On Solaris, ipf and firewall-1 may
send different "destination prohibited by filter" ICMP messages.  An
vice versa: ipf may send the same packet whether it is running on
Solaris or Linux.  I haven't done a whole lot of experimentation, but
those are the risks that come to mind.  This is one reason that Nmap
is pretty picky about what kinds of ICMP messages are used for
fingerprints.

Some people seem to think that Nmap only uses TCP and IP
characteristics for fingerprinting.  But ICMP *is* used where it seems
to work well.  Probably at least 15% of the tests are ICMP-based and
this has been true since the beginning.

Cheers,
-F

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Previous By Date Next
Previous By Thread Next

Current thread: