Re: ip proto 0xff in syn pckts on ADSL connection

[David Fifield <david () bamsoftware com>]

On Mon, Nov 17, 2008 at 01:21:05PM -0700, David Fifield wrote:
> On Tue, Nov 04, 2008 at 11:01:55AM -0500, jfhorn wrote:
> > I'm looking for some insight into an issue (a bug, possibly with nmap)
> > involving the most recent nmap (4.76), Windows (XP SP2), WinPcap
> > (4.02), and a modem/dial-up adapter.
> >
> > PROBLEM: When attempting a TCP connect scan (-sT) to port 80 on
> > www.google.com over dial-up, the system emits packets correctly, *but*
> > when attempting to SYN scan (-sS) port 80 on www.google.com, the
> > system emits packets with the IP protocol type set to 0xFF.
>
> Windows doesn't support raw sockets. Nmap can work around this most of
> the time by using an Ethernet interface directly, but that only works
> for Ethernet devices. Scans requiring raw packets (including SYN scan)
> won't work on a dial-up connection. The workaround is (as you've
> discovered) to use -sT for a plain connect scan. To do more than that
> requires an operating system with support for raw sockets.
>
> There is a real problem here thouch, which is that Nmap doesn't print
> enough information about the situation.

Here is a patch that shows a warning whenever raw socket sending is
attempted on Windows (regardless of --send-ip and --send-eth). It shows
the warning only once per unique device name. The warning is

WARNING: Using raw sockets because %s is not an ethernet device. This probably won't work on Windows.

I don't have a real non-Ethernet device to test it with. I tested it by
hacking the condition in scan_engine.cc to pretend devices were not
Ethernet. I don't like to commit the patch until someone with a PPP or
other connection tests it and sees that the warning is shown.

David Fifield

Attachment: win32-warn-raw-sockets.diff
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org