Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

IPv6 scan not correct ?

From: Ruediger Rissmann <RRI () zurich ibm com>
Date: Wed, 25 Jun 2003 17:05:02 +0200




Hi,

I just run nmap against one of my IPv6 routers, and found that every port
was
reported to be open. I had a look into the router configureation and
found that every port is blocked by an acl and that all the packets
from my nmap scan were discarded. Instead the router send back an ICMPv6
destination unreachable type 1:
"communication with destination administratively prohibited" back wich
seems
to be not understood correctly by nmap.

I remove the access-list, and nmap reported the correct ports to be open,
so the problem seems to be only that specific icmpv6 message.

I debugged the problem in scan_engine.cc
and found that

static int get_connect_results ( ......
...
      if (getsockopt(sd, SOL_SOCKET, SO_ERROR, (char *) &optval, &optlen)
!= 0)
        optval = errno;
      switch (optval) ....

}

where optval is set to 13 wich is EACCES in the
case I descibed above.

So this littel patch solved the problem :

--- scan_engine.cc      2003-06-25 15:36:47.000000000 +0200
+++ scan_engine.bak     2003-06-25 14:48:15.000000000 +0200
@@ -341,16 +341,6 @@
          posportupdate(target, current, NULL, trynum, scan, ss,
CONNECT_SCAN, P
ORT_OPEN, pil, csi);
 #endif
          break;
-#ifdef HAVE_IPV6
-       case EACCES:
-         /* At least for my routers that send back an
-            ICMPv6
-            destination unreachable type 1:
-            "communication with destination administratively prohibited"
-            This seems to be right */
-       posportupdate(target, current, NULL, trynum, scan, ss,
CONNECT_SCAN, POR
T_FIREWALLED, pil, csi);
-       break;
-#endif
        case ECONNREFUSED:
          posportupdate(target, current, NULL, trynum, scan, ss,
CONNECT_SCAN, P
ORT_CLOSED, pil, csi);
          break;


Is that the right place to fix it ?

Thanks,
      Ruedi

Here the results of the scan against my router before the fix:

Starting nmap 3.28 ( www.insecure.org/nmap/ ) at 2003-06-25 10:47 CEST
Strange read error from 2001:620:0:fffd::2: Permission denied
Strange read error from 2001:620:0:fffd::2 (13): Operation now in progress
Strange read error from 2001:620:0:fffd::2 (13): Operation now in progress
Strange read error from 2001:620:0:fffd::2 (13): Operation now in progress
.........

Interesting ports on 2001:620:0:fffd::2:
Port       State       Service
1/tcp      open        tcpmux
2/tcp      open        compressnet
3/tcp      open        compressnet
4/tcp      open        unknown
5/tcp      open        rje
6/tcp      open        unknown
7/tcp      open        echo
8/tcp      open        unknown
9/tcp      open        discard
10/tcp     open        unknown
11/tcp     open        systat
12/tcp     open        unknown
......

And so on. But belive me, all this ports are CLOSED.

-------------------------------------------------------------------------------

Ruediger Rissmann
IBM Zurich Research Laboratory



---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Previous By Date Next
Previous By Thread Next

Current thread: