Nmap Development mailing list archives
Re: [Exp PATCH] Call port closed in any protocol with ICMP Port Unreach
From: Kris Katterjohn <katterjohn () gmail com>
Date: Sun, 04 Feb 2007 19:53:13 -0600
Fyodor wrote:
On Sun, Feb 04, 2007 at 06:36:42PM -0600, Kris Katterjohn wrote:The attached patch (/nmap-exp/kris SVN r4472) makes it so that if we get an ICMP Port Unreachable from the target host involving any protocol that we call the port closed. The SVN log:Hi Kris. Despite what the RFCs say, I think that when we receive an ICMP port unreachable message in response to a TCP query, that ICMP unreachable packet was generally sent by a firewall or other filtering device as opposed to the end host. But I could be wrong. Have you found any target IPs which respond in this fashion? If so, I think it is worth investigating whether the packets are produced by firewall software (either running on the destination host, or in front of it), or if the destination host sends these responses rather than a RST for some reason. If you haven't seen this happen, then I think we should hold off on making any such changes to /nmap until we have some empirical data. Cheers, Fyodor
Does this not test to see if this packet is coming from the host and not a separate device? /* ensure this packet relates to a packet to the host we are scanning ... */ memset(&sin, 0, sizeof(sin)); sin.sin_addr.s_addr = ip2->ip_dst.s_addr; sin.sin_family = AF_INET; hss = USI->findIncompleteHost((struct sockaddr_storage *) &sin); if (!hss) continue; // Not from a host that interests us ... if (hss->target->v4hostip()->s_addr == ip->ip_src.s_addr) hss is filled from ip2->ip_dst.s_addr, which is where we were sending the original packet. If it's tested against the source IP of the outer header, we see if it's from where we sent it as opposed to a another box. Or am I wrong about that part? Regardless, I have *not* seen this actually happen. I was reading the RFC 1122 and found that part to be interesting. I skimmed over Nmap's code and thought it could be added. So whatever you think is best :) Thanks, Kris Katterjohn
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [Exp PATCH] Call port closed in any protocol with ICMP Port Unreach Kris Katterjohn (Feb 04)
- Re: [Exp PATCH] Call port closed in any protocol with ICMP Port Unreach Fyodor (Feb 04)
- Re: [Exp PATCH] Call port closed in any protocol with ICMP Port Unreach Kris Katterjohn (Feb 04)
- Re: [Exp PATCH] Call port closed in any protocol with ICMP Port Unreach Fyodor (Feb 04)
- Re: [Exp PATCH] Call port closed in any protocol with ICMP Port Unreach Kris Katterjohn (Feb 04)
- Re: [Exp PATCH] Call port closed in any protocol with ICMP Port Unreach Kris Katterjohn (Feb 04)
- Re: [Exp PATCH] Call port closed in any protocol with ICMP Port Unreach Jan Engelhardt (Feb 05)
- Re: [Exp PATCH] Call port closed in any protocol with ICMP Port Unreach Fyodor (Feb 04)