Re: icmpprotohack question

[Fyodor <fyodor () insecure org>]

On Wed, Jun 14, 2006 at 02:24:25PM +0200, Eddie Bell wrote:
> In scan_engine.cc at the bottom of get_pcap_results() there a block of code,
> used in protocol scans, that seems to
> set icmp as open if nmap receives any icmp packet.
>
> I set up a firewall rule to drop all ICMP packets but nmap still says icmp
> is open because it receives protocol unreachable
> messages. Should the code not test the type of icmp message to determine if
> icmp is open or closed? Surely receiving a
> protocol unreachable message for icmp should automatically negate icmp from
> being open

Well, this only applies for cases where the ICMP message comes from
the target host itself (not some intermediate firewall).  So if the
target sends an ICMP message back in response to a protocol scan, Nmap
considers ICMP to be open regardless of what sort of ICMP message was
sent.  Clearly the machine knows how to deal with some ICMP messages
(or else an intermediate host spoofed the packet).

Cheers,
-F


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev