Nmap Development mailing list archives
Re: Raw IP NSE Functionality
From: Kris Katterjohn <katterjohn () gmail com>
Date: Tue, 23 Feb 2010 15:00:17 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/23/2010 01:39 PM, Patrick Donnelly wrote:
Ok this patch wasn't quite right. I've attached a new one but I'm getting some strange C++ segfault I can't figure out. I'm not going to devote any more time to this since Kris has a viable patch already committed.
Ah, yes, sorry about not mentioning this before you posted. I wanted to put it in there before I got busy today (i.e. right after I committed). I didn't mention it yet because I ended up finding a bug and wanted to investigate first. I don't know if my script is somehow wrong, if it's a bug in the pcap reading, or something entirely different. Using ipidseq on multiple hosts at the same time (hostgroup) somehow gives my script a packet with the same ipid as (what appears to be) the first packet read from the first host read from in the group. It's only the first one, the others are ipids from the real host. This sounds horribly confusing after I read it, so here's something better than my explanation (stripped Nmap output with some debugging in script): NSE: Starting ipidseq against 192.168.10.4. NSE: Starting ipidseq against 192.168.10.3. got ipid 49992 from 192.168.10.4:21 got ipid 49992 from 192.168.10.3:80 got ipid 49994 from 192.168.10.3:80 got ipid 38558 from 192.168.10.4:21 got ipid 49996 from 192.168.10.3:80 got ipid 38559 from 192.168.10.4:21 got ipid 49998 from 192.168.10.3:80 got ipid 38560 from 192.168.10.4:21 got ipid 50000 from 192.168.10.3:80 got ipid 38561 from 192.168.10.4:21 got ipid 50002 from 192.168.10.3:80 ipid #1 = 49992 ipid #2 = 49994 ipid #3 = 49996 ipid #4 = 49998 ipid #5 = 50000 ipid #6 = 50002 NSE: Finished ipidseq against 192.168.10.3. got ipid 38562 from 192.168.10.4:21 ipid #1 = 49992 ipid #2 = 38558 ipid #3 = 38559 ipid #4 = 38560 ipid #5 = 38561 ipid #6 = 38562 NSE: Finished ipidseq against 192.168.10.4. Nmap scan report for 192.168.10.3 Host script results: |_ipidseq: Incremental! [used port 80] Nmap scan report for 192.168.10.4 Host script results: |_ipidseq: Randomized [used port 21] Notice the same "ipid #1" lines for the hosts. Since I couldn't investigate further, this is only a starting point. The address/port combo in the output is from what the script expects it to be (host and port tables; to differentiate output for me), not from the packet itself. However, the pcap filter should be more than adequate in stopping this, so something is wrong. Notice the Randomized report for 192.168.10.4 because of that one when it's really Incremental. It seems to happen every time. I'll try to investigate more when I can, hopefully soon. Thanks, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJLhEHgAAoJEEQxgFs5kUfubRsQALG7/qAuMg6kM6uSrYYlog8G VcRAdOqhOQKWm6kfPK+1keR6ynNrfP1shk30aW7N09YuE0clHelT8xObIgVbGXXq StS4JI696oADKEKqGz24pE0vHvSdKUcH2tmQkVxsNri04gTNb7EcQ5SRYtnDGImH qRDpMg9sV6gAybGDj++9dKXCy6nxlXj5buAX1POqEZfzzx21sDhP5BKeHAoAQ7aB JZ29em7ZUazxXcBn0xw7+kl0qMew4XOq98ZpgqwKntlUpQfeVByzIQ1Ur/pc0GH7 rX7tcX6wvOg3ReAw3nRa5TA1DbkiQ6Vmx8rQu8ghM5f/yM8549ufjM1iUOx+ELdU NR7AnmHe98a1Xuj1Thg4p8O8m3jQNZraR56Hr+Lb/s3VDyrTmkuqasJNW6bbK5bM h+hUPDBzci/k/SwB0FORg/dDcGiBccJd1zjwPzcTKV2yod9dsDt+fd6ZXwEuRn2z pGneY448rmLbyuS7lUzxn3LaWDjXjs3TCY84KKB+vrw8+Idwc7kEWsKDWx+/pk0F dspz6z2NM/as9Lhz1zM/mOBEizfqNgu8vHNBn7MardsXjS4bJ+cquTvg0asRjk9h I868E9U5idgARflCFKrw7EtnmqQgj0HhCNQgLXEMx+cFWM+OmylG5PLvTcrJjVgp /mhxS35qNh6t6TCzBlQs =7pZf -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...), (continued)
- Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) David Fifield (Feb 18)
- Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Kris Katterjohn (Feb 17)
- error compiling 5.21 Mike Calmus (Feb 20)
- Re: error compiling 5.21 David Fifield (Feb 22)
- Re: error compiling 5.21 Mike Calmus (Feb 23)
- Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Patrick Donnelly (Feb 17)
- Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Kris Katterjohn (Feb 17)
- Re: Raw IP NSE Functionality David Fifield (Feb 23)
- Re: Raw IP NSE Functionality Patrick Donnelly (Feb 23)
- Re: Raw IP NSE Functionality Patrick Donnelly (Feb 23)
- Re: Raw IP NSE Functionality Kris Katterjohn (Feb 23)
- Re: Raw IP NSE Functionality David Fifield (Feb 23)
- Re: Raw IP NSE Functionality David Fifield (Feb 25)
- Re: Raw IP NSE Functionality Kris Katterjohn (Feb 25)
- pcap_register David Fifield (Feb 25)
- Re: pcap_register majek04 (Feb 26)
- Re: pcap_register Kris Katterjohn (Feb 26)
- Re: Raw IP NSE Functionality kx (Feb 25)
- Re: Raw IP NSE Functionality David Fifield (Feb 25)
- Re: Raw IP NSE Functionality Kris Katterjohn (Feb 26)