Nmap Development mailing list archives

Re: Excessive traffic in -PS/PA/PU ping scans

From: Professor Messer <james () professormesser com>
Date: Tue, 20 Mar 2007 15:14:25 -0400

cybernmd wrote:

I have noticed the following when performing SYN, ACK, and UDP pings:

1) When running SYN/ACK/UDP pings as privileged user target ports are
completely ignored using notation suggested in the manual
(-PS80,443,666). nmap proceeds to scan every standard port
on the target system instead of just the ones specified (this generates
a lot of excessive traffic). At the same time I could get nmap to scan
just those ports by using -p80,443,666 appended to the command line.
Other than that all scans are performed just fine.


To Nmap, a ping and a scan are two completely different things.

PING: An Nmap ping is used to determine the availability of a target 
device. Nmap simply wants to know if a device is on the network before 
it goes through the process of performing a scan on the remote device. 
There are  seven different Nmap "pinging" processes that can be used to 
determine if a device is available. Note that this Nmap ping process is 
a bit different than the traditional ICMP echo request "ping" command 
that is often used at the command line. Nmap ping command line options 
begin with a capital "-P."

SCAN: An Nmap scan is the actual port probing process that usually 
searches through thousands of ports to determine the open, closed, or 
filtered state of each port. There are fifteen different scanning 
methods that Nmap can employ to determine the port dispositions on a 
remote device. Most of these Nmap scan command line options begin with a 
lowercase "-s," except for the FTP bounce attack which uses a lowercase -b.

During a default scan, Nmap will query over 1,600 ports! If you just 
want to scan specific ports, the command line option -p will focus Nmap 
to a series of ports separated by commas, or a range can be specified 
with a hyphen.

2) The suggested notation (-PS80,443,666) does work when nmap is
executed from a non-privileged account, but I must still provide -p
argument with ports that will be appended to those specified in -PS
argument or else nmap starts scanning all standard ports on the target.

I have confirmed this behavior with nmap 4.21ALPHA3 running on Ubuntu
6.10 and nmap 4.11 running on FreeBSD 6.2 for both local and external
targets.

Below are nmap commands I have used and partial traffic dump from scans:

Using suggested notation in the manual
======================================

Command:
 sudo nmap -PS443 192.168.1.1


This performs an Nmap SYN ping to port 443, and default Nmap scan to 
192.168.1.1 (which includes over 1,600 ports by default). As already 
mentioned, if you're scanning a device on your local IP subnet as a 
privileged user, Nmap will override your ping option and use the much 
more reliable ARP ping.

*snip packet trace*

Command:
sudo nmap -PS666 192.168.1.1 -p443


This is the same command, but you've told Nmap to only perform a default 
scan to port 443. Again, your ping option was ignored in favor of an ARP 
ping to the local IP subnet.

Traffic Generated:
213.457235 192.168.1.100 -> 192.168.1.1  TCP 62666 > https [SYN] Seq=0
Len=0 MSS=1460
213.457694  192.168.1.1 -> 192.168.1.100 TCP https > 62666 [SYN, ACK]
Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
213.457714 192.168.1.100 -> 192.168.1.1  TCP 62666 > https [RST] Seq=1
Len=0

Using suggested notation in the manual with non-privileged account
==================================================================
Command:
nmap -PS443 192.168.1.1 -n


When running as a non-privileged user, Nmap can't build an ARP ping so 
it tries to use your option to perform a SYN ping to port 443. 
Unfortunately, Nmap also can't perform a SYN ping (SYN pings and SYN 
scans are some Nmap methods that can only be used by privileged users) 
so Nmap instead opts for a a TCP connect() ping.

Traffic Generated:
 9.169700 192.168.1.100 -> 192.168.1.1  TCP 46883 > https [SYN] Seq=0
Len=0 MSS=1460 TSV=25235354 TSER=0 WS=2
  9.170185  192.168.1.1 -> 192.168.1.100 TCP https > 46883 [SYN, ACK]
Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=10003443 TSER=25235354 WS=0
  9.170208 192.168.1.100 -> 192.168.1.1  TCP 46883 > https [ACK] Seq=1
Ack=1 Win=5840 Len=0 TSV=25235354 TSER=10003443
  9.170810 192.168.1.100 -> 192.168.1.1  TCP 46883 > https [RST, ACK]
Seq=1 Ack=1 Win=5840 Len=0 TSV=25235354 TSER=10003443
  9.269808 192.168.1.100 -> 192.168.1.1  TCP 46884 > https [SYN] Seq=0
Len=0 MSS=1460 TSV=25235379 TSER=0 WS=2
  9.270289  192.168.1.1 -> 192.168.1.100 TCP https > 46884 [SYN, ACK]
Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=10003453 TSER=25235379 WS=0
  9.270311 192.168.1.100 -> 192.168.1.1  TCP 46884 > https [ACK] Seq=1
Ack=1 Win=5840 Len=0 TSV=25235379 TSER=10003453
  9.270498 192.168.1.100 -> 192.168.1.1  TCP 56401 > ldaps [SYN] Seq=0
Len=0 MSS=1460 TSV=25235379 TSER=0 WS=2
  9.270950 192.168.1.100 -> 192.168.1.1  TCP 37141 > www [SYN] Seq=0
Len=0 MSS=1460 TSV=25235379 TSER=0 WS=2
  9.271164  192.168.1.1 -> 192.168.1.100 TCP ldaps > 56401 [RST, ACK]
Seq=0 Ack=1 Win=0 Len=0
  9.271391 192.168.1.100 -> 192.168.1.1  TCP 33586 > ssh [SYN] Seq=0
Len=0 MSS=1460 TSV=25235379 TSER=0 WS=2
  9.271612  192.168.1.1 -> 192.168.1.100 TCP www > 37141 [RST, ACK]
Seq=0 Ack=1 Win=0 Len=0
...

Using -p to specify ports with unprivileged account
===================================================
Command:
nmap -PS666 192.168.1.1 -p443 -n


This is the same as the previous scan, but you've focused the scan to 
only focus on port 443. The SYN ping is replaced with a connect() ping, 
just like the previous scan. The default SYN scan is also replaced with 
a connect() scan.

Notice that you received a RESET when pinging port 666. Since this is 
part of the ping process, Nmap takes that response to indicate that a 
device really does exist at that IP address. If your SYN frame to port 
666 did not receive any response, your Nmap scan would have stopped 
right there.

Traffic Generated:
  0.000000 192.168.1.100 -> 192.168.1.1  TCP 42469 > 666 [SYN] Seq=0
Len=0 MSS=1460 TSV=25287184 TSER=0 WS=2
  0.000421  192.168.1.1 -> 192.168.1.100 TCP 666 > 42469 [RST, ACK]
Seq=0 Ack=1 Win=0 Len=0
  0.100061 192.168.1.100 -> 192.168.1.1  TCP 46975 > https [SYN] Seq=0
Len=0 MSS=1460 TSV=25287209 TSER=0 WS=2
  0.100552  192.168.1.1 -> 192.168.1.100 TCP https > 46975 [SYN, ACK]
Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=10024180 TSER=25287209 WS=0
  0.100575 192.168.1.100 -> 192.168.1.1  TCP 46975 > https [ACK] Seq=1
Ack=1 Win=5840 Len=0 TSV=25287210 TSER=10024180
  0.100923 192.168.1.100 -> 192.168.1.1  TCP 46975 > https [RST, ACK]
Seq=1 Ack=1 Win=5840 Len=0 TSV=25287210 TSER=10024180

First scans port 666 specified in -PS argument and later connect()-s to
port 443.



Hope that helps!


James "Professor" Messer
Author, Nmap Secrets
http://www.ProfessorMesser.com/nmap-secrets

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Excessive traffic in -PS/PA/PU ping scans cybernmd (Mar 20)
- Re: Excessive traffic in -PS/PA/PU ping scans Brandon Enright (Mar 20)
- Re: Excessive traffic in -PS/PA/PU ping scans Eddie Bell (Mar 20)
- Re: Excessive traffic in -PS/PA/PU ping scans Professor Messer (Mar 20)
- <Possible follow-ups>
- Re: Excessive traffic in -PS/PA/PU ping scans cybernmd (Mar 20)
  - Re: Excessive traffic in -PS/PA/PU ping scans Hans Nilsson (Mar 21)