Nmap Development mailing list archives

RE: nmap on GPRS connection & problem

From: "Jeff Gercken" <JeffG () kizan com>
Date: Tue, 2 Aug 2005 10:27:25 -0400

Are mixed TTL really that unusual?  Most networks have multiple paths
and, although it's common to statefully load balance, some are likely
doing it per packet.  I wouldn't make the assumption of a proxy w/o more
definitive evidence.

-----Original Message-----
From: nmap-dev-bounces () insecure org
[mailto:nmap-dev-bounces () insecure org] On Behalf Of Nils Magnus
Sent: Monday, August 01, 2005 6:38 PM
To: zaka rias
Cc: nmap-dev () insecure org
Subject: Re: nmap on GPRS connection & problem

Re,

On Mon, Aug 01, 2005 at 10:27:41PM +0100, zaka rias wrote:

well im just home user and i have LAN with 3 pcs.
Gateaway using xp sp2 and 2 clients using Redhat Fedora (kernel 
2.4.20-8).

as: nmap -vvv -sT -sV -T1 -p 80,443 -oN logMS4 -P0 www.microsoft.com 
Interesting ports on 207.46.18.30:
PORT    STATE SERVICE VERSION
80/tcp  open  http    Apache httpd 2.0.50 ((Fedora))

do you know why ?

(im using GPRS to connect to the net, maybe this kind of connection 
block nmap ? or maybe cuz my gateaway using xp sp 2? ?).


I'd assume that your GPRS service provider uses some kind of transparent
proxy to handle web requests on 80/tcp. I'd recommend to use
tcpdump/tethereal in parallel to the scan to 80 and 443 and look closely
to the TTL values. If the TTL value of returning packets differ
depending on the port, the port with the higher TTL is closer and thus
most probably handled by a proxy (things like policy based routing etc.
not taken into account).

General thought: It might be handy to have this information available
directly in the nmap output, or at least give a warning if the values
differ for different ports:

Interesting ports on 207.46.18.30:
PORT    STATE SERVICE TTL VERSION
25/tcp  open  smtp     53 sendmail 8.1.2
80/tcp  open  http     61 Apache httpd 2.0.50 ((Fedora))
443/tcp open  https    53 whatever ...

Warning: Returning packets have different TTL values and are possibly
         port-forwarded or transparently proxied.

[...]

Just an idea,

Regards,

Nils Magnus
Program-Chair LinuxTag 2005 Free Conference Program

LinuxTag 2005: Where .com meets .org - magnus () linuxtag org


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev

Current thread:

nmap on GPRS connection & problem zaka rias (Aug 01)
- Re: nmap on GPRS connection & problem Nils Magnus (Aug 01)
- Re: nmap on GPRS connection & problem Martin Mačok (Aug 01)
- <Possible follow-ups>
- RE: nmap on GPRS connection & problem Jeff Gercken (Aug 02)