Re: Bug report? Windows version 4.71

[David Fifield <david () bamsoftware com>]

On Tue, Oct 07, 2008 at 09:54:35AM +0200, Ronald Luten wrote:
> When I use -sP to ping a C-class subnet, every host appears to be up, when
> in reality only 10 should be up.
> I've seen on the mailing list that this has been reported before, for other
> versions.
>
> I've used -vvv -d --packet-trace to get debug info. Maybe someone on the
> list knows why it is doing this.
>
> The host in the example (and the C-class) are behind a firewall, which is
> just routing. So it there's a rule in there that permits ANY from my PC to
> the C-class. The firewall is new (since last week), and before then nmap
> didn't show this behavior, so most likely the firewall is somehow involved.
>
> Initiating Ping Scan at 09:41
> Scanning 192.168.112.188 [2 ports]
> Packet capture filter (device eth0): dst host 172.20.155.89 and (icmp or
> ((tcp or udp) and (src host 192.168.112.188)))
> SENT (0.2340s) TCP 172.20.155.89:50443 > 192.168.112.188:80 A ttl=48 id=9139
> iplen=40  seq=4059576939 win=1024 ack=4084382708
> RCVD (0.2340s) TCP 192.168.112.188:80 > 172.20.155.89:50443 R ttl=64
> id=61996 iplen=40  seq=4084382708 win=0
> We got a TCP ping packet back from 192.168.112.188 port 80 (trynum = 0)
> Completed Ping Scan at 09:41, 0.11s elapsed (1 total hosts)

The firewall is spoofing RST packets in response to the ACK ping probes
sent by Nmap. It's doing it without regard to the destination of the ACK
probe, so every host appears to be up. Try running with the -PS -PE host
discovery options instead.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org