Nmap Development mailing list archives

Re: Raw IP NSE Functionality

From: David Fifield <david () bamsoftware com>
Date: Tue, 23 Feb 2010 20:43:29 -0700

On Tue, Feb 23, 2010 at 03:00:17PM -0600, Kris Katterjohn wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/23/2010 01:39 PM, Patrick Donnelly wrote:

Ok this patch wasn't quite right. I've attached a new one but I'm
getting some strange C++ segfault I can't figure out. I'm not going to
devote any more time to this since Kris has a viable patch already
committed.


Ah, yes, sorry about not mentioning this before you posted.  I wanted to put
it in there before I got busy today (i.e. right after I committed).  I didn't
mention it yet because I ended up finding a bug and wanted to investigate first.

I don't know if my script is somehow wrong, if it's a bug in the pcap reading,
or something entirely different. Using ipidseq on multiple hosts at the same
time (hostgroup) somehow gives my script a packet with the same ipid as (what
appears to be) the first packet read from the first host read from in the
group.  It's only the first one, the others are ipids from the real host.
This sounds horribly confusing after I read it, so here's something better
than my explanation (stripped Nmap output with some debugging in script):

NSE: Starting ipidseq against 192.168.10.4.
NSE: Starting ipidseq against 192.168.10.3.
got ipid 49992 from 192.168.10.4:21
got ipid 49992 from 192.168.10.3:80
got ipid 49994 from 192.168.10.3:80
got ipid 38558 from 192.168.10.4:21
got ipid 49996 from 192.168.10.3:80
got ipid 38559 from 192.168.10.4:21
got ipid 49998 from 192.168.10.3:80
got ipid 38560 from 192.168.10.4:21
got ipid 50000 from 192.168.10.3:80
got ipid 38561 from 192.168.10.4:21
got ipid 50002 from 192.168.10.3:80
ipid #1 = 49992
ipid #2 = 49994
ipid #3 = 49996
ipid #4 = 49998
ipid #5 = 50000
ipid #6 = 50002
NSE: Finished ipidseq against 192.168.10.3.
got ipid 38562 from 192.168.10.4:21
ipid #1 = 49992
ipid #2 = 38558
ipid #3 = 38559
ipid #4 = 38560
ipid #5 = 38561
ipid #6 = 38562
NSE: Finished ipidseq against 192.168.10.4.

Nmap scan report for 192.168.10.3
Host script results:
|_ipidseq: Incremental! [used port 80]

Nmap scan report for 192.168.10.4
Host script results:
|_ipidseq: Randomized [used port 21]


Notice the same "ipid #1" lines for the hosts.


I'm seeing this too.

=== 192.168.0.190:22    C0A800BE -> C0A80015 id 6583
=== 192.168.0.1:23      C0A800BE -> C0A80015 id 6583
=== 192.168.0.190:22    C0A800BE -> C0A80015 id 9671
=== 192.168.0.1:23      C0A80001 -> C0A80015 id 0
=== 192.168.0.190:22    C0A800BE -> C0A80015 id 14775
=== 192.168.0.1:23      C0A80001 -> C0A80015 id 0
=== 192.168.0.190:22    C0A800BE -> C0A80015 id 48365
=== 192.168.0.1:23      C0A80001 -> C0A80015 id 0
=== 192.168.0.190:22    C0A800BE -> C0A80015 id 30125
=== 192.168.0.1:23      C0A80001 -> C0A80015 id 0
=== 192.168.0.190:22    C0A800BE -> C0A80015 id 60377
=== 192.168.0.1:23      C0A80001 -> C0A80015 id 0

It doesn't happen every time. (The C0... above are IP addresses from the
packets.) It seems to be related to the "cancelled" message here:

NSOCK (0.2980s) PCAP requested on device 'eth0' with berkeley filter 'tcp and dst host 192.168.0.21 and src host 
192.168.0.1 and src port 23' (promisc=0 snaplen=68 to_ms=200) (IOD #2)
NSOCK (0.2980s) PCAP created successfully on device 'eth0' (pcap_desc=8 bsd_hack=0 to_valid=1 l3_offset=14) (IOD #2)
SENT (1.6160s) TCP 192.168.0.21:8559 > 192.168.0.1:23 S ttl=128 id=21969 iplen=44  seq=2057940271 win=3072 <mss 1460>
NSOCK (0.2980s) Pcap read request from IOD #2  EID 21
NSOCK (1.6160s) nsock_loop() started (timeout=50ms). 2 events pending
NSOCK (1.6160s) Callback: READ-PCAP SUCCESS for EID 13
NSOCK (1.6160s) Event #21 (type READ-PCAP) cancelled

That comes from nsock_event_cancel, called from ncap_request_set_result.
It looks like the event is getting cancelled, but the result is still
getting through somehow.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...), (continued)
- - - Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Kris Katterjohn (Feb 17)
    - error compiling 5.21 Mike Calmus (Feb 20)
    - Re: error compiling 5.21 David Fifield (Feb 22)
    - Re: error compiling 5.21 Mike Calmus (Feb 23)
    - Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Patrick Donnelly (Feb 17)
    - Re: Raw IP NSE Functionality (Was Re: [NSE] Raw ethernet frame questions ...) Kris Katterjohn (Feb 17)
    - Re: Raw IP NSE Functionality David Fifield (Feb 23)
    - Re: Raw IP NSE Functionality Patrick Donnelly (Feb 23)
    - Re: Raw IP NSE Functionality Patrick Donnelly (Feb 23)
    - Re: Raw IP NSE Functionality Kris Katterjohn (Feb 23)
    - Re: Raw IP NSE Functionality David Fifield (Feb 23)
    - Re: Raw IP NSE Functionality David Fifield (Feb 25)
    - Re: Raw IP NSE Functionality Kris Katterjohn (Feb 25)
    - pcap_register David Fifield (Feb 25)
    - Re: pcap_register majek04 (Feb 26)
    - Re: pcap_register Kris Katterjohn (Feb 26)
    - Re: Raw IP NSE Functionality kx (Feb 25)
    - Re: Raw IP NSE Functionality David Fifield (Feb 25)
    - Re: Raw IP NSE Functionality Kris Katterjohn (Feb 26)