RE: nmap 3.30 on win32 sending naughty packets to Defense Intelligence Agency

["Tom H" <tom () scriptsupport co uk>]

> Hi,
>
> I was watching an ethereal trace of the win32 command line nmap 
> v3.30, while I was scanning a 
> local network for open rpc ports using the following command
> C:\>nmap -v -p 135 10.0.0.1/24
> and noticed that during the scan, nmap sends 2 packets with a 
> destination address
> of 11.0.0.3, and that these packets are echo replies. The first 
> is sent almost immediately

after some more messing about, these packets only seem to be created
when scanning (syn/tcp/ping) my own ip address with nmap, 10.0.0.3, but are not
created when someone else pings/scans my ip address.

the packets are also coming from the ntoskrnl, but the winpcap driver
has a Netgroup Packet Filter which is the kernel portion of the winpcap,
and this might be what is responsible for those packets. thought there does
seem to be a separate application called "NPF Driver - TME extensions" which I
previously assumed was winpcap.

I tried changing my ip to a static one, 10.0.0.179, and when I scanned my own
ip address again, there were packets sent to 11.0.0.179. this confirmed my
earlier suspicion that this was more like to be an off by 1 bug in the code somewhere
rather than something bad going on with nmap/winpcap or my computer.

T.


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).