Nmap Development mailing list archives

Variety of bugs in nmap-4.20

From: Chris Drake <christopher () pobox com>
Date: Wed, 20 Jun 2007 02:29:02 +1000

Hi,

I'm Running the latest nmap-4.20 built from source
on RedHas AS4 update 4

Linux 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:27:17 EDT 2006 i686 i686 i386 GNU/Linux


1. I specifically ask it to send one ICMP echo request, however, it
   sends none, instead sending only an ARP:


# /usr/bin/nmap -n --packet_trace -sP -PE  123.123.252.164

Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-19 14:56 UTC
SENT (0.0370s) ARP who-has 123.123.252.164 tell 123.123.252.162
RCVD (0.0390s) ARP reply 123.123.252.164 is-at 00:0C:29:DA:5E:9F
Host 123.123.252.164 appears to be up.
MAC Address: 00:0C:29:DA:5E:9F (VMware)
Nmap finished: 1 IP address (1 host up) scanned in 0.150 seconds

# ping 123.123.252.164
PING 123.123.252.164 (123.123.252.164) 56(84) bytes of data.
64 bytes from 123.123.252.164: icmp_seq=0 ttl=64 time=5.16 ms
64 bytes from 123.123.252.164: icmp_seq=1 ttl=64 time=0.717 ms



2. I attempt to send a single UDP packet, but
   2a - it sends 2 packets
   2b - it parses the --host_timeout switch wrongly (curious: works OK
        on a "RedHat AS4u4 "full" non-SELinux install, but fails on a
        vmware RedHat AS4u4 "minimal" SELinux install.)

# /usr/bin/nmap -n --packet_trace -P0 -sU -p 53  --host_timeout 5000 --data_length 1 203.123.123.131
host-timeout is given in milliseconds, so you specified less than 15 seconds (0ms). This is allowed but not recommended.

Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-19 14:59 UTC
SENT (0.0380s) UDP 123.123.252.162:48152 > 203.123.123.131:53 ttl=48 id=52931 iplen=29 
SENT (1.0470s) UDP 123.123.252.162:48153 > 203.123.123.131:53 ttl=42 id=51814 iplen=29 
Interesting ports on 203.123.123.131:
Unable to find nmap-services!  Resorting to /etc/services
PORT   STATE         SERVICE
53/udp open|filtered domain

Nmap finished: 1 IP address (1 host up) scanned in 2.130 seconds
[root@vm4-DidTheyReadIt bin]# 



3. (Cosmetic) It tells me to use -P0 when I'm already using -P0

# /usr/bin/nmap -P0 -n --packet_trace -sP -PE  123.123.252.163

Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-19 14:57 UTC
SENT (0.0610s) ARP who-has 123.123.252.163 tell 123.123.252.162
SENT (0.1700s) ARP who-has 123.123.252.163 tell 123.123.252.162
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 0.320 seconds







Kind Regards,
Chris Drake



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Variety of bugs in nmap-4.20 Chris Drake (Jun 19)
- Re: Variety of bugs in nmap-4.20 DePriest, Jason R. (Jun 19)
- Re: Variety of bugs in nmap-4.20 Brandon Enright (Jun 19)
  - Re[2]: Variety of bugs in nmap-4.20 Chris Drake (Jun 19)
- Re: Variety of bugs in nmap-4.20 Professor Messer (Jun 19)
  - Re[2]: Variety of bugs in nmap-4.20 Chris Drake (Jun 19)
    - Re: Variety of bugs in nmap-4.20 Professor Messer (Jun 19)
    - Re: Variety of bugs in nmap-4.20 Fyodor (Jun 19)
- Re: Variety of bugs in nmap-4.20 Fyodor (Jun 19)