Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Possible error message bug in nmap-4.11 on Gentoo

From: "Thomas Buchanan" <TBuchanan () thecompassgrp net>
Date: Thu, 12 Oct 2006 14:56:46 -0500
Sorry folks, looks like the patch didn't make it through to mailing list.  Attached as txt file this time.


-----Original Message-----
From: nmap-dev-bounces () insecure org 
[mailto:nmap-dev-bounces () insecure org] On Behalf Of Thomas Buchanan
Sent: Thursday, October 12, 2006 2:54 PM
To: Andreas Ericsson; Diman Todorov
Cc: nmap-dev () insecure org
Subject: RE: Possible error message bug in nmap-4.11 on Gentoo

 

-----Original Message-----
From: nmap-dev-bounces () insecure org 
[mailto:nmap-dev-bounces () insecure org] On Behalf Of Andreas Ericsson
Sent: Thursday, October 12, 2006 8:29 AM
To: Diman Todorov
Cc: nmap-dev () insecure org
Subject: Re: Possible error message bug in nmap-4.11 on Gentoo

Diman Todorov wrote:

Well, you *are* telling nmap to do a ping-scan (-sP) which 

doesn't use

ports, but then you specify ports as well.

This is not correct.
from the nmap man page:
<snip>
               The -sP option sends an ICMP echo request 

and a TCP  

packet to
               port 80 by default. When executed by an 

unprivileged  

user, a SYN
               packet is sent (using a connect() call) to 

port 80 on the

</snip>

IMHO -sP should respect -p



Touché. I should rtfm more carefully or, as in this case, at all :-)

I'm still not sure it makes sense though, unless you use the 
scan option 
to control output (i.e. make hosts responding to any of the 

tcp-ports 

given in the range show as "up", but nothing else). Oh 

well. I'm sure 

it'll all turn out for the best.

-- 
Andreas Ericsson                   andreas.ericsson () op5 se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231




I think if you want to scan specific ports using ping style 
probes, you should use -PS [portlist].  From the man page: 

<snip>
-PS [portlist] (TCP SYN Ping)
     This option sends an empty TCP packet with the SYN flag 
set. The default destination port is
     80 (configurable at compile time by changing 
DEFAULT_TCP_PROBE_PORT in nmap.h), but an
     alternate port can be specified as a parameter. A comma 
separated list of ports can even be
     specified (e.g.  -PS22,23,25,80,113,1050,35000), in 
which case probes will be attempted
     against each port in parallel.
</snip>

In the source code for nmap.cc, it states that -F and 
-p[portlist] are NOT allowed with -sP (or -sL for that matter)

nmap.cc:
<snip>
   1166   if ((o.pingscan || o.listscan) && ports) {
   1167     fatal("You cannot use -F (fast scan) or -p 
(explicit port selection) with PING scan or LIST scan");
   1168   }
</snip

However, this check was being performed after a list of ports 
was generated by the following call:

   1151     ports = getpts(portlist);

The function getpts(portlist) is what actually prints the 
error message that was originally posted.

The attached proposed patch just moves the check for -F and 
-p up above the call to getpts().  This actually saves us the 
trouble of generating the portslist (which we end up not 
using).  The patched nmap produces the following output:

sudo ./nmap -sP -p1-1024 -v -v -v 192.168....

Starting Nmap 4.20ALPHA8 ( http://Insecure.Org ) at 
2006-10-12 14:31 CDT
You cannot use -F (fast scan) or -p (explicit port selection) 
with PING scan or LIST scan
QUITTING!


Patch (against nmap-4.20ALPHA8) works for me on Linux (have 
not tested under Windows).  Patch also cleanly applies to nmap-4.11

Thomas

Attachment: ping-portlist.patch.txt
Description: ping-portlist.patch.txt


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: