Nmap Development mailing list archives
Nmap and windows pptp-connection
From: <jammer () gmx ch>
Date: Sat, 7 Jan 2006 03:07:00 +0300
Hello all! I've noticed some strange behaviuor... OS: windows server 2003 SP1 Internet connection works through ms vpn (pptp), and I think no problem at my ISP. Ethereal and so on works fine, so there is no (really no?) problem in winpcap driver. Here is a dump of test scan of scanme.insecure.org, look at ip protocol number of generated packets... ***from nmap*** C:\temp\nmap-3.96BETA1-win32>nmap --mtu 1200 -sS -PE -vv -d9 -e ppp1 scanme.insecure.org ***WinIP*** trying to initialize winpcap 2.1 Winpcap present, dynamic linked to: WinPcap version 3.1 (packet.dll version 3, 1, 0, 27), based on libpcap version 0.9[.x] Warning: Packet fragmentation selected on a host other than Linux, OpenBSD, FreeBSD, or NetBSD. This may or may no t work. Starting Nmap 3.96BETA1 ( http://www.insecure.org/nmap ) at 2006-01-07 02:48 Warning: File ./nmap-services exists, but Nmap is using C:\temp\nmap-3.96BETA1-win32/nmap-services for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory (may affect the other data f iles too). Fetchfile found C:\temp\nmap-3.96BETA1-win32/nmap-services The max # of sockets we are using is: 0 WARNING: Unable to find appropriate interface for system route to 10.10.0.1 Packet capture filter (device ppp1): (icmp and dst host xxx.xxx.xxx.xxx) or ((tcp or udp) and dst host xxx.xxx.xxx.xxx and ( dst port 61383 or dst port 61384 or dst port 61385 or dst port 61386 or dst port 61387)) SENT (1.0780s) ICMP xxx.xxx.xxx.xxx > 205.217.153.62 Echo request (type=8/code=0) ttl=37 id=4787 iplen=28 SENT (3.0780s) ICMP xxx.xxx.xxx.xxx > 205.217.153.62 Echo request (type=8/code=0) ttl=55 id=666 iplen=28 Finished block: srtt: -1 rttvar: -1 timeout: 1000000 block_tries: 2 up_this_block: 0 down_this_block: 0 group_sz: 1 massping done: num_hosts: 1 num_responses: 0 Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 Nmap finished: 1 IP address (0 hosts up) scanned in 5.094 seconds Raw packets sent: 2 (56B) | Rcvd: 0 (0B) C:\temp\nmap-3.96BETA1-win32> ***from nmap*** And at the same time a dump from windump 3.9.3: ***from windump*** C:\Windump 3.9.3>WinDump.exe -i \Device\NPF_{940CFF39-869E-48EB-A D44-13C53BF924E4} -n -vv host scanme.insecure.org WinDump.exe: listening on \Device\NPF_{940CFF39-869E-48EB-AD44-13C53BF924E4} 02:48:52.350421 IP (tos 0x0, ttl 128, id 24054, offset 0, flags [none], proto: unknown (255), length: 48 ) xxx.xxx.xxx.xxx > 205.217.153.62: ip-proto-255 28 02:48:54.351398 IP (tos 0x0, ttl 128, id 24186, offset 0, flags [none], proto: unknown (255), length: 48 ) xxx.xxx.xxx.xxx > 205.217.153.62: ip-proto-255 28 2 packets captured 887 packets received by filter 0 packets dropped by kernel C:\Windump 3.9.3> ***from windump*** You see ip-proto 255 from windump instead of nmaps type 8? And the same way with -PS80, or just -sS. Nmap under windows sends ip proto 255 instead of something intelligible. And how to repair this? Best regards, jammer _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Nmap and windows pptp-connection jammer (Jan 06)