Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Excessive traffic in -PS/PA/PU ping scans

From: cybernmd <cybernmd () gmail com>
Date: Tue, 20 Mar 2007 03:16:44 -0700
I have noticed the following when performing SYN, ACK, and UDP pings:

1) When running SYN/ACK/UDP pings as privileged user target ports are
completely ignored using notation suggested in the manual
(-PS80,443,666). nmap proceeds to scan every standard port
on the target system instead of just the ones specified (this generates
a lot of excessive traffic). At the same time I could get nmap to scan
just those ports by using -p80,443,666 appended to the command line.
Other than that all scans are performed just fine.

2) The suggested notation (-PS80,443,666) does work when nmap is
executed from a non-privileged account, but I must still provide -p
argument with ports that will be appended to those specified in -PS
argument or else nmap starts scanning all standard ports on the target.

I have confirmed this behavior with nmap 4.21ALPHA3 running on Ubuntu
6.10 and nmap 4.11 running on FreeBSD 6.2 for both local and external
targets.

Below are nmap commands I have used and partial traffic dump from scans:

Using suggested notation in the manual
======================================

Command:
 sudo nmap -PS443 192.168.1.1

Traffic Generated:
  0.093081 192.168.1.100 -> 192.168.1.1  TCP 56854 > rtsp [SYN] Seq=0
Len=0 MSS=1460
  0.093098 192.168.1.100 -> 192.168.1.1  TCP 56854 > domain [SYN] Seq=0
Len=0 MSS=1460
  0.093114 192.168.1.100 -> 192.168.1.1  TCP 56854 > ldaps [SYN] Seq=0
Len=0 MSS=1460
  0.093129 192.168.1.100 -> 192.168.1.1  TCP 56854 > 1723 [SYN] Seq=0
Len=0 MSS=1460
  0.093143 192.168.1.100 -> 192.168.1.1  TCP 56854 > ftp [SYN] Seq=0
Len=0 MSS=1460
  0.093157 192.168.1.100 -> 192.168.1.1  TCP 56854 > www [SYN] Seq=0
Len=0 MSS=1460
  0.093171 192.168.1.100 -> 192.168.1.1  TCP 56854 > 256 [SYN] Seq=0
Len=0 MSS=1460
  0.093185 192.168.1.100 -> 192.168.1.1  TCP 56854 > ssh [SYN] Seq=0
Len=0 MSS=1460
  0.093199 192.168.1.100 -> 192.168.1.1  TCP 56854 > 3389 [SYN] Seq=0
Len=0 MSS=1460
  0.093213 192.168.1.100 -> 192.168.1.1  TCP 56854 > telnet [SYN] Seq=0
Len=0 MSS=1460
...
proceeds to scan all standard ports on target 192.168.1.1 =(

Using -p to specify ports instead
=================================

Command:
sudo nmap -PS666 192.168.1.1 -p443

Traffic Generated:
213.457235 192.168.1.100 -> 192.168.1.1  TCP 62666 > https [SYN] Seq=0
Len=0 MSS=1460
213.457694  192.168.1.1 -> 192.168.1.100 TCP https > 62666 [SYN, ACK]
Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
213.457714 192.168.1.100 -> 192.168.1.1  TCP 62666 > https [RST] Seq=1
Len=0

performs precisely what i wanted in the first place SYN ping on port
443, note that port 666 was completely ignored

Using suggested notation in the manual with non-privileged account
==================================================================
Command:
nmap -PS443 192.168.1.1 -n

Traffic Generated:
 9.169700 192.168.1.100 -> 192.168.1.1  TCP 46883 > https [SYN] Seq=0
Len=0 MSS=1460 TSV=25235354 TSER=0 WS=2
  9.170185  192.168.1.1 -> 192.168.1.100 TCP https > 46883 [SYN, ACK]
Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=10003443 TSER=25235354 WS=0
  9.170208 192.168.1.100 -> 192.168.1.1  TCP 46883 > https [ACK] Seq=1
Ack=1 Win=5840 Len=0 TSV=25235354 TSER=10003443
  9.170810 192.168.1.100 -> 192.168.1.1  TCP 46883 > https [RST, ACK]
Seq=1 Ack=1 Win=5840 Len=0 TSV=25235354 TSER=10003443
  9.269808 192.168.1.100 -> 192.168.1.1  TCP 46884 > https [SYN] Seq=0
Len=0 MSS=1460 TSV=25235379 TSER=0 WS=2
  9.270289  192.168.1.1 -> 192.168.1.100 TCP https > 46884 [SYN, ACK]
Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=10003453 TSER=25235379 WS=0
  9.270311 192.168.1.100 -> 192.168.1.1  TCP 46884 > https [ACK] Seq=1
Ack=1 Win=5840 Len=0 TSV=25235379 TSER=10003453
  9.270498 192.168.1.100 -> 192.168.1.1  TCP 56401 > ldaps [SYN] Seq=0
Len=0 MSS=1460 TSV=25235379 TSER=0 WS=2
  9.270950 192.168.1.100 -> 192.168.1.1  TCP 37141 > www [SYN] Seq=0
Len=0 MSS=1460 TSV=25235379 TSER=0 WS=2
  9.271164  192.168.1.1 -> 192.168.1.100 TCP ldaps > 56401 [RST, ACK]
Seq=0 Ack=1 Win=0 Len=0
  9.271391 192.168.1.100 -> 192.168.1.1  TCP 33586 > ssh [SYN] Seq=0
Len=0 MSS=1460 TSV=25235379 TSER=0 WS=2
  9.271612  192.168.1.1 -> 192.168.1.100 TCP www > 37141 [RST, ACK]
Seq=0 Ack=1 Win=0 Len=0
...

Starts out just as expected by connect()-ing to https port, but later
starts scanning all standard ports on the target host =(

Using -p to specify ports with unprivileged account
===================================================
Command:
nmap -PS666 192.168.1.1 -p443 -n

Traffic Generated:
  0.000000 192.168.1.100 -> 192.168.1.1  TCP 42469 > 666 [SYN] Seq=0
Len=0 MSS=1460 TSV=25287184 TSER=0 WS=2
  0.000421  192.168.1.1 -> 192.168.1.100 TCP 666 > 42469 [RST, ACK]
Seq=0 Ack=1 Win=0 Len=0
  0.100061 192.168.1.100 -> 192.168.1.1  TCP 46975 > https [SYN] Seq=0
Len=0 MSS=1460 TSV=25287209 TSER=0 WS=2
  0.100552  192.168.1.1 -> 192.168.1.100 TCP https > 46975 [SYN, ACK]
Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=10024180 TSER=25287209 WS=0
  0.100575 192.168.1.100 -> 192.168.1.1  TCP 46975 > https [ACK] Seq=1
Ack=1 Win=5840 Len=0 TSV=25287210 TSER=10024180
  0.100923 192.168.1.100 -> 192.168.1.1  TCP 46975 > https [RST, ACK]
Seq=1 Ack=1 Win=5840 Len=0 TSV=25287210 TSER=10024180

First scans port 666 specified in -PS argument and later connect()-s to
port 443.

I am not sure if this is an expected behavior but it seems that when our
only goal is to find out whether the host is up it is not necessary
to scan all ports and generate all the noise.

Sincerely, Peter

p.s. thanks for the great tool, looking forward to the final version of
the scripting engine =)


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: