Re: Bad IP-checksums

[David Fifield <david () bamsoftware com>]

On Sat, Jul 26, 2008 at 12:25:10AM +0000, Brandon Enright wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sat, 26 Jul 2008 02:06:55 +0200
> Gisle Vanem <gvanem () broadpark no> wrote:
>
> > The following command
> >   nmap -d2 -sV -p1-100 -O 10.0.0.7
> >
> > generates approx. IP 150 packets of which 8 contains bad
> > checksums (sent from 10.0.0.6). Check the attached pcap-trace 
> > and look at frame 290, 312, 314, 316, 344, 364, 366 and 368.
> >
> > Verified with "tshark -Vr wattcp.dbg | grep '[incorrect,'".
> >
> > All this is on WIn-XP with nmap v. 4.6. Anybody else who can
> > verify this?
> >
> > --gv
>
> Okay here is my speculation.
>
> Looking at you pcap file, the _only_ probes with a bad checksum are the
> UDP OS fingerprint probes (probe U1).
>
> The UDP checksum is correct but the IP checksum is wrong.  The
> documentation for the U1 probe says that the IPID is supposed to be set
> to 0x1042 but yours are set to 0x4210.

This was an Nmap bug that was fixed by Michael in r7814:

http://seclists.org/nmap-dev/2008/q2/0536.html

According to the changelog the first release the fix was in was 4.65. So
Gisle, if you're using 4.60 then that could explain what you're seeing.

> When I test on a Linux box I get IP packets with the correct IPID
> field.  When I test on Windows I get the endianness reversed like
> yours.  I haven't looked at the code for this so I can't say if this is
> a Windows bug or a Nmap bug.

The problem showed itself on little-endian machines. Does that make
sense with the architectures of your Linux and Windows boxes? Or if they
have the same endianness, maybe they have different Nmap versions.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org