Nmap Development mailing list archives
Re: Excessive traffic in -PS/PA/PU ping scans
From: Professor Messer <james () professormesser com>
Date: Tue, 20 Mar 2007 15:14:25 -0400
cybernmd wrote:
I have noticed the following when performing SYN, ACK, and UDP pings: 1) When running SYN/ACK/UDP pings as privileged user target ports are completely ignored using notation suggested in the manual (-PS80,443,666). nmap proceeds to scan every standard port on the target system instead of just the ones specified (this generates a lot of excessive traffic). At the same time I could get nmap to scan just those ports by using -p80,443,666 appended to the command line. Other than that all scans are performed just fine.
To Nmap, a ping and a scan are two completely different things. PING: An Nmap ping is used to determine the availability of a target device. Nmap simply wants to know if a device is on the network before it goes through the process of performing a scan on the remote device. There are seven different Nmap "pinging" processes that can be used to determine if a device is available. Note that this Nmap ping process is a bit different than the traditional ICMP echo request "ping" command that is often used at the command line. Nmap ping command line options begin with a capital "-P." SCAN: An Nmap scan is the actual port probing process that usually searches through thousands of ports to determine the open, closed, or filtered state of each port. There are fifteen different scanning methods that Nmap can employ to determine the port dispositions on a remote device. Most of these Nmap scan command line options begin with a lowercase "-s," except for the FTP bounce attack which uses a lowercase -b. During a default scan, Nmap will query over 1,600 ports! If you just want to scan specific ports, the command line option -p will focus Nmap to a series of ports separated by commas, or a range can be specified with a hyphen.
2) The suggested notation (-PS80,443,666) does work when nmap is executed from a non-privileged account, but I must still provide -p argument with ports that will be appended to those specified in -PS argument or else nmap starts scanning all standard ports on the target. I have confirmed this behavior with nmap 4.21ALPHA3 running on Ubuntu 6.10 and nmap 4.11 running on FreeBSD 6.2 for both local and external targets. Below are nmap commands I have used and partial traffic dump from scans: Using suggested notation in the manual ====================================== Command: sudo nmap -PS443 192.168.1.1
This performs an Nmap SYN ping to port 443, and default Nmap scan to 192.168.1.1 (which includes over 1,600 ports by default). As already mentioned, if you're scanning a device on your local IP subnet as a privileged user, Nmap will override your ping option and use the much more reliable ARP ping. *snip packet trace*
Command: sudo nmap -PS666 192.168.1.1 -p443
This is the same command, but you've told Nmap to only perform a default scan to port 443. Again, your ping option was ignored in favor of an ARP ping to the local IP subnet.
Traffic Generated: 213.457235 192.168.1.100 -> 192.168.1.1 TCP 62666 > https [SYN] Seq=0 Len=0 MSS=1460 213.457694 192.168.1.1 -> 192.168.1.100 TCP https > 62666 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 213.457714 192.168.1.100 -> 192.168.1.1 TCP 62666 > https [RST] Seq=1 Len=0
Using suggested notation in the manual with non-privileged account ================================================================== Command: nmap -PS443 192.168.1.1 -n
When running as a non-privileged user, Nmap can't build an ARP ping so it tries to use your option to perform a SYN ping to port 443. Unfortunately, Nmap also can't perform a SYN ping (SYN pings and SYN scans are some Nmap methods that can only be used by privileged users) so Nmap instead opts for a a TCP connect() ping.
Traffic Generated: 9.169700 192.168.1.100 -> 192.168.1.1 TCP 46883 > https [SYN] Seq=0 Len=0 MSS=1460 TSV=25235354 TSER=0 WS=2 9.170185 192.168.1.1 -> 192.168.1.100 TCP https > 46883 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=10003443 TSER=25235354 WS=0 9.170208 192.168.1.100 -> 192.168.1.1 TCP 46883 > https [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=25235354 TSER=10003443 9.170810 192.168.1.100 -> 192.168.1.1 TCP 46883 > https [RST, ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=25235354 TSER=10003443 9.269808 192.168.1.100 -> 192.168.1.1 TCP 46884 > https [SYN] Seq=0 Len=0 MSS=1460 TSV=25235379 TSER=0 WS=2 9.270289 192.168.1.1 -> 192.168.1.100 TCP https > 46884 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=10003453 TSER=25235379 WS=0 9.270311 192.168.1.100 -> 192.168.1.1 TCP 46884 > https [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=25235379 TSER=10003453 9.270498 192.168.1.100 -> 192.168.1.1 TCP 56401 > ldaps [SYN] Seq=0 Len=0 MSS=1460 TSV=25235379 TSER=0 WS=2 9.270950 192.168.1.100 -> 192.168.1.1 TCP 37141 > www [SYN] Seq=0 Len=0 MSS=1460 TSV=25235379 TSER=0 WS=2 9.271164 192.168.1.1 -> 192.168.1.100 TCP ldaps > 56401 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0 9.271391 192.168.1.100 -> 192.168.1.1 TCP 33586 > ssh [SYN] Seq=0 Len=0 MSS=1460 TSV=25235379 TSER=0 WS=2 9.271612 192.168.1.1 -> 192.168.1.100 TCP www > 37141 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0 ...
Using -p to specify ports with unprivileged account =================================================== Command: nmap -PS666 192.168.1.1 -p443 -n
This is the same as the previous scan, but you've focused the scan to only focus on port 443. The SYN ping is replaced with a connect() ping, just like the previous scan. The default SYN scan is also replaced with a connect() scan. Notice that you received a RESET when pinging port 666. Since this is part of the ping process, Nmap takes that response to indicate that a device really does exist at that IP address. If your SYN frame to port 666 did not receive any response, your Nmap scan would have stopped right there.
Traffic Generated: 0.000000 192.168.1.100 -> 192.168.1.1 TCP 42469 > 666 [SYN] Seq=0 Len=0 MSS=1460 TSV=25287184 TSER=0 WS=2 0.000421 192.168.1.1 -> 192.168.1.100 TCP 666 > 42469 [RST, ACK] Seq=0 Ack=1 Win=0 Len=0 0.100061 192.168.1.100 -> 192.168.1.1 TCP 46975 > https [SYN] Seq=0 Len=0 MSS=1460 TSV=25287209 TSER=0 WS=2 0.100552 192.168.1.1 -> 192.168.1.100 TCP https > 46975 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=10024180 TSER=25287209 WS=0 0.100575 192.168.1.100 -> 192.168.1.1 TCP 46975 > https [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=25287210 TSER=10024180 0.100923 192.168.1.100 -> 192.168.1.1 TCP 46975 > https [RST, ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=25287210 TSER=10024180 First scans port 666 specified in -PS argument and later connect()-s to port 443.
Hope that helps! James "Professor" Messer Author, Nmap Secrets http://www.ProfessorMesser.com/nmap-secrets _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Excessive traffic in -PS/PA/PU ping scans cybernmd (Mar 20)
- Re: Excessive traffic in -PS/PA/PU ping scans Brandon Enright (Mar 20)
- Re: Excessive traffic in -PS/PA/PU ping scans Eddie Bell (Mar 20)
- Re: Excessive traffic in -PS/PA/PU ping scans Professor Messer (Mar 20)
- <Possible follow-ups>
- Re: Excessive traffic in -PS/PA/PU ping scans cybernmd (Mar 20)
- Re: Excessive traffic in -PS/PA/PU ping scans Hans Nilsson (Mar 21)