Re: [updated patch] fragment scan got broken between 3.50 and 3.75

[Martin Mačok <martin.macok () underground cz>]

On Sat, Jan 29, 2005 at 10:24:33AM +0300, Andrey A. Tutolmin wrote:

> I've just tried to use double -f on FreeBSD and got errors:

> FreeBSD hosting.host.ru 4.10-RELEASE-p2 FreeBSD 4.10-RELEASE-p2 #1:

> root@hosting ~/nlp 555$ /nmapm -sS -f -f -n -q -v -P0 -p T:80,23 --packet_trace ns2
>
> Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2005-01-29 10:20 MSK
> Initiating SYN Stealth Scan against 194.67.163.238 [2 ports] at 10:20
> sendto in send_ip_packet: sendto(3, packet, 28, 0, 194.67.163.238, 16) => Permission denied
> sendto in send_ip_packet: sendto(3, packet, 28, 0, 194.67.163.238, 16) => Permission denied
> SENT (0.0560s) TCP 213.234.205.2:?? > 194.67.163.238:?? ?? ttl=43 id=43640 iplen=24 frag offset=16 (incomplete)

This is interesting - you don't have permission to send first two
tiny fragments (len=28) but it seems like the last got it through
(len=24) ... could you check it with tcpdump -v (or snort -v) what
really leaves the box?

> Do you have any idea about this "Permission denied"?

No, is there some limit in FreeBSD raw socket's sendto(2)?

Can FreeBSD send tiny fragments (mtu=20+8)? Could you check it with
hping2 or some other tool/lib?

I have updated the patch so that it does not try to send following
fragments when one failes.

http://Xtrmntr.org/ORBman/tmp/nmap/nmap-3.78-fragment.patch

Martin Mačok
ICT Security Consultant

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org