Re: nmap on OpenBSD 4.5 -stable and OpenBSD -current (4.6)

[Brandon Enright <bmenrigh () ucsd edu>]

Hi Vijay, sorry I'm typing this on a phone.  This sounds like a  
problem with Nmap not interpreting the ARP response properly.  Others  
have reported similar problems with non-Linux OSes recently.  Would  
you be willing to capture the ARP request and ARP reponse with tcpdump  
for us?  There is a chance our ARP response identification and parsing  
code needs improvement.

Brandon

Sent from my phone.  If you would like a digital signature for this  
email let me know and I will sign it later.


On Jul 22, 2009, at 4:50, Vijay Sankar <vsankar () foretell ca> wrote:

> Hi,
>
> Just thought I would report the following in case there are any  
> simple things I can do to help out. If there is, please let me know.
>
> I am not able to run nmap as root (--send-ip works, however) on  
> OpenBSD 4.5 -stable. Compiled it with a ./configure, make and make  
> install. Zenmap works very well with OpenBSD's Python 2.5.4 package.  
> Also tried OpenBSD -current as of 1430 hours CDT July 22, 2009 with  
> the same results.
>
> As a regular user,
>
> server11$ nmap -v -A server2.sankars.local
>
> Starting Nmap 5.00 ( http://nmap.org ) at 2009-07-21 23:28 CDT
> NSE: Loaded 30 scripts for scanning.
> Initiating Ping Scan at 23:28
> Scanning 10.0.0.102 [2 ports]
> Completed Ping Scan at 23:28, 0.00s elapsed (1 total hosts)
> Initiating Parallel DNS resolution of 1 host. at 23:28
> Completed Parallel DNS resolution of 1 host. at 23:28, 0.00s elapsed
> Initiating Connect Scan at 23:28
> Scanning server2.sankars.local (10.0.0.102) [1000 ports]
> Discovered open port 22/tcp on 10.0.0.102
> Discovered open port 139/tcp on 10.0.0.102
> Discovered open port 445/tcp on 10.0.0.102
> Discovered open port 6000/tcp on 10.0.0.102
> Increasing send delay for 10.0.0.102 from 0 to 5 due to 44 out of  
> 146 dropped probes since last increase.
> Completed Connect Scan at 23:29, 18.11s elapsed (1000 total ports)
> Initiating Service scan at 23:29
> Scanning 4 services on server2.sankars.local (10.0.0.102)
> Completed Service scan at 23:29, 11.02s elapsed (4 services on 1 host)
> NSE: Script scanning 10.0.0.102.
> NSE: Starting runlevel 1 scan
> Initiating NSE at 23:29
> Completed NSE at 23:29, 0.47s elapsed
> NSE: Starting runlevel 2 scan
> Initiating NSE at 23:29
> Completed NSE at 23:29, 0.02s elapsed
> NSE: Script Scanning completed.
> Host server2.sankars.local (10.0.0.102) is up (0.00013s latency).
> Interesting ports on server2.sankars.local (10.0.0.102):
> Not shown: 996 closed ports
> PORT     STATE SERVICE     VERSION
> 22/tcp   open  ssh         OpenSSH 5.2 (protocol 2.0)
> |  ssh-hostkey: 1024 85:fd:f8:d7:23:2b:35:cc:88:6c:69:01:51:53:70:24  
> (DSA)
> |_ 2048 43:4c:30:6b:16:f6:25:7d:ed:34:af:2a:42:88:8a:69 (RSA)
> 139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: MYGROUP)
> 445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: MYGROUP)
> 6000/tcp open  X11         (access denied)
> Service Info: OS: Unix
>
> Host script results:
> |_ nbstat: ERROR: Name query failed: ERROR
> |  smb-os-discovery: Unix
> |  LAN Manager: Samba 3.0.33
> |  Name: MYGROUP\Unknown
> |_ System time: 2009-07-21 23:29:14 UTC-5
>
> Read data files from: /usr/local/share/nmap
> Service detection performed. Please report any incorrect results at http://nmap.org/submit/ 
>  .
> Nmap done: 1 IP address (1 host up) scanned in 29.78 seconds
>
> As root,
>
> server11# nmap -v -A server2.sankars.local
>
> Starting Nmap 5.00 ( http://nmap.org ) at 2009-07-21 23:43 CDT
> NSE: Loaded 30 scripts for scanning.
> Initiating ARP Ping Scan at 23:43
> Scanning 10.0.0.102 [1 port]
> Completed ARP Ping Scan at 23:43, 0.23s elapsed (1 total hosts)
> Read data files from: /usr/local/share/nmap
> Note: Host seems down. If it is really up, but blocking our ping  
> probes, try -PN
> Nmap done: 1 IP address (0 hosts up) scanned in 0.58 seconds
>          Raw packets sent: 2 (84B) | Rcvd: 0 (0B)
>
> server11# nmap -v -PN server2.sankars.local
>
> Starting Nmap 5.00 ( http://nmap.org ) at 2009-07-21 23:43 CDT
> NSE: Loaded 0 scripts for scanning.
> Initiating ARP Ping Scan at 23:43
> Scanning 10.0.0.102 [1 port]
> Completed ARP Ping Scan at 23:43, 0.23s elapsed (1 total hosts)
> Read data files from: /usr/local/share/nmap
> Nmap done: 1 IP address (0 hosts up) scanned in 0.28 seconds
>          Raw packets sent: 2 (84B) | Rcvd: 0 (0B)
>
> server11# nmap -v --send-ip -A server2.sankars.local
>
> Starting Nmap 5.00 ( http://nmap.org ) at 2009-07-21 23:34 CDT
> NSE: Loaded 30 scripts for scanning.
> Initiating Ping Scan at 23:34
> Scanning 10.0.0.102 [4 ports]
> Completed Ping Scan at 23:34, 2.01s elapsed (1 total hosts)
> Initiating Parallel DNS resolution of 1 host. at 23:34
> Completed Parallel DNS resolution of 1 host. at 23:34, 0.00s elapsed
> Initiating SYN Stealth Scan at 23:34
> Scanning server2.sankars.local (10.0.0.102) [1000 ports]
> Discovered open port 445/tcp on 10.0.0.102
> Increasing send delay for 10.0.0.102 from 0 to 5 due to 11 out of 12  
> dropped probes since last increase.
> Discovered open port 139/tcp on 10.0.0.102
> Discovered open port 22/tcp on 10.0.0.102
> Increasing send delay for 10.0.0.102 from 5 to 10 due to  
> max_successful_tryno increase to 4
> Increasing send delay for 10.0.0.102 from 10 to 20 due to  
> max_successful_tryno increase to 5
> Increasing send delay for 10.0.0.102 from 20 to 40 due to 11 out of  
> 17 dropped probes since last increase.
> Increasing send delay for 10.0.0.102 from 40 to 80 due to  
> max_successful_tryno increase to 6
> Increasing send delay for 10.0.0.102 from 80 to 160 due to  
> max_successful_tryno increase to 7
> Increasing send delay for 10.0.0.102 from 160 to 320 due to  
> max_successful_tryno increase to 8
> SYN Stealth Scan Timing: About 10.37% done; ETC: 23:39 (0:04:28  
> remaining)
> SYN Stealth Scan Timing: About 19.47% done; ETC: 23:39 (0:04:12  
> remaining)
> SYN Stealth Scan Timing: About 28.57% done; ETC: 23:40 (0:03:48  
> remaining)
> SYN Stealth Scan Timing: About 37.67% done; ETC: 23:40 (0:03:20  
> remaining)
> SYN Stealth Scan Timing: About 46.67% done; ETC: 23:40 (0:02:53  
> remaining)
> Discovered open port 6000/tcp on 10.0.0.102
> SYN Stealth Scan Timing: About 55.77% done; ETC: 23:40 (0:02:24  
> remaining)
> SYN Stealth Scan Timing: About 64.87% done; ETC: 23:40 (0:01:54  
> remaining)
> SYN Stealth Scan Timing: About 73.97% done; ETC: 23:40 (0:01:25  
> remaining)
> SYN Stealth Scan Timing: About 83.07% done; ETC: 23:40 (0:00:55  
> remaining)
> Completed SYN Stealth Scan at 23:40, 329.18s elapsed (1000 total  
> ports)
> Initiating Service scan at 23:40
> Scanning 4 services on server2.sankars.local (10.0.0.102)
> Completed Service scan at 23:40, 11.02s elapsed (4 services on 1 host)
> Initiating OS detection (try #1) against server2.sankars.local (10.0.0.102 
> )
> adjust_timeouts2: packet supposedly had rtt of -519693  
> microseconds.  Ignoring time.
> NSE: Script scanning 10.0.0.102.
> NSE: Starting runlevel 1 scan
> Initiating NSE at 23:40
> Completed NSE at 23:40, 0.45s elapsed
> NSE: Starting runlevel 2 scan
> Initiating NSE at 23:40
> Completed NSE at 23:40, 0.02s elapsed
> NSE: Script Scanning completed.
> Host server2.sankars.local (10.0.0.102) is up (-2.0s latency).
> Interesting ports on server2.sankars.local (10.0.0.102):
> Not shown: 996 closed ports
> PORT     STATE SERVICE     VERSION
> 22/tcp   open  ssh         OpenSSH 5.2 (protocol 2.0)
> |  ssh-hostkey: 1024 85:fd:f8:d7:23:2b:35:cc:88:6c:69:01:51:53:70:24  
> (DSA)
> |_ 2048 43:4c:30:6b:16:f6:25:7d:ed:34:af:2a:42:88:8a:69 (RSA)
> 139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: MYGROUP)
> 445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: MYGROUP)
> 6000/tcp open  X11         (access denied)
> MAC Address: 00:22:19:A8:C4:4F (Dell)
> Device type: general purpose
> Running: OpenBSD 3.X|4.X
> OS details: OpenBSD 3.9 - 4.4
> Uptime guess: 0.000 days (since Tue Jul 21 23:40:26 2009)
> Network Distance: 1 hop
> TCP Sequence Prediction: Difficulty=245 (Good luck!)
> IP ID Sequence Generation: Randomized
> Service Info: OS: Unix
>
> Host script results:
> |_ nbstat: ERROR: Name query failed: ERROR
> |  smb-os-discovery: Unix
> |  LAN Manager: Samba 3.0.33
> |  Name: MYGROUP\Unknown
> |_ System time: 2009-07-21 23:40:31 UTC-5
>
> Read data files from: /usr/local/share/nmap
> OS and Service detection performed. Please report any incorrect  
> results at http://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 348.49 seconds
>          Raw packets sent: 1154 (53.448KB) | Rcvd: 1147 (47.460KB)
>
> Thanks very much,
>
> Vijay
>
> --
> Vijay Sankar, M.Eng., P.Eng.
> ForeTell Technologies Limited
> 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
> Phone: (204) 885-9535, E-Mail: vsankar () foretell ca
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org