Nmap Development mailing list archives
Re: 24-Hour Beta: Nmap 4.69BETA1
From: Fyodor <fyodor () insecure org>
Date: Sun, 7 Sep 2008 19:05:35 -0700
On Sun, Sep 07, 2008 at 08:30:40PM -0500, Alan Jones wrote:
TRACEROUTE (using port 22/tcp) HOP RTT ADDRESS 1 1.00 home (192.168.x.xx) 2 14.00 adsl-70-xx-x-x.dsl.ltrkar.sbcglobal.net (70.232.xx.xxx)
I think this sbcglobal.net machine (or, possibly, software running on your own machine) is spoofing the port 80 RST packets "from" scanme. Maybe SBC is running a transparent web proxy cache on port 80. ISPs sometimes do similar things with port 25 as well. A giveaway is the responses you received with a TTL of 255, like this: RCVD (0.2650s) TCP 64.13.134.52:80 > 192.168.1.67:35207 R ttl=255 id=1192 iplen=63 seq=3390443990 win=0 That should only happen if they were generated from the next hop machine (or from software on your machine itself). I think this is a good example of how Nmap can help in understanding and detecting these sorts of network anomalies. One thing we could consider doing is making certain ports likely to have such shenanigans (like tcp 25, 80, and 113) be considered "less desirable" than other ports by the new Nmap timing ping selector. But I'm not sure whether this problem is common enough to merit a special case like that. And in any case, these sorts of results are sometimes desirable to better understand the network. Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- 24-Hour Beta: Nmap 4.69BETA1 Fyodor (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 07)
- RE: 24-Hour Beta: Nmap 4.69BETA1 Rob Nicholls (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 David Fifield (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 David Fifield (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 Fyodor (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 13)
- Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 David Fifield (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 David Fifield (Sep 07)
- Re: 24-Hour Beta: Nmap 4.69BETA1 Alan Jones (Sep 07)
- "Nmap Output" tab David Fifield (Sep 07)