Nmap Development mailing list archives
Re: nmap bug: specified source port not honored in version scanning
From: David Fifield <david () bamsoftware com>
Date: Wed, 11 Aug 2010 10:14:21 -0600
On Tue, May 18, 2010 at 01:25:26PM -0500, Gabriel Friedmann wrote:
Bug: Specifying --source-port for nmap scan does not appear to be honored in version scanning/NSE nmap: Version 5.30BETA1 My host: Linux, CentOS 5.5 Please note that the initial port scan behaves as expected, but version scanning will not work due to a dynamically selected source port.
I've looked into this, and I'm afraid that setting the source port can't be supported nicely for normal connect operations, including connect scan, version detection, and NSE. The reason that SYN scan and other raw scans are able to set the source port is that they bypass the kernel. It's possible to set the source address for normal connections, but only for one socket at a time. When we use multiple sockets at once, as we do in every scan phase I can think of, every connection after the first will fail with "Address already in use". This is why Nping prints a warning, # nping --tcp-connect -g 1000 scanme.nmap.org Warning: Setting a source port in TCP-Connect mode with 5 rounds may not work after the first round. You may want to do just one round (use --count 1). Nmap prints a warning too, # nmap -g 1000 -sT scanme.nmap.org WARNING: -g is incompatible with the default connect() scan (-sT). Use a raw scan such as -sS if you want to set the source port. I've attached a patch, bind-sT.diff, that shows what happens when you try to bind to a source port during a port scan. The output looks like this. # nmap -g 1000 -sT scanme.nmap.org WARNING: -g is incompatible with the default connect() scan (-sT). Use a raw scan such as -sS if you want to set the source port. Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-11 10:05 MDT bind success bind: Address already in use bind: Address already in use bind: Address already in use bind: Address already in use bind: Address already in use bind: Address already in use bind: Address already in use bind: Address already in use bind: Address already in use bind success bind: Address already in use bind: Address already in use bind: Address already in use bind: Address already in use bind: Address already in use bind success bind: Address already in use bind: Address already in use bind: Address already in use bind: Address already in use You can see that setting the source port works only intermittently, as sockets are recycled. The same problem affects other scan phases. The second attached patch, magic_port-spoofsource.diff, is a quick hack to make all the connections that honor -S also try to set the source port. # nmap -n -Pn -sT -S 192.168.0.21 -g 1000 scanme.nmap.org -p 80 -sC --packet-trace WARNING: -S will only affect the source address used in a connect() scan if you specify one of your own addresses. Use -sS or another raw scan if you want to completely spoof your source address, but then you need to know what you're doing to obtain meaningful results. WARNING: -g is incompatible with the default connect() scan (-sT). Use a raw scan such as -sS if you want to set the source port. Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-11 10:11 MDT Warning: File ./nmap-services exists, but Nmap is using /usr/share/nmap/nmap-services for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too). CONN (0.6360s) TCP localhost > 64.13.134.52:80 => Operation now in progress NSOCK (0.7180s) TCP connection requested to 64.13.134.52:80 (IOD #1) EID 8 NSOCK (0.7190s) TCP connection requested to 64.13.134.52:80 (IOD #2) EID 16 NSOCK (0.7220s) TCP connection requested to 64.13.134.52:80 (IOD #3) EID 24 NSOCK (0.7230s) TCP connection requested to 64.13.134.52:80 (IOD #4) EID 32 NSOCK (0.7230s) nsock_loop() started (timeout=50ms). 4 events pending NSOCK (0.7240s) Callback: CONNECT ERROR [Cannot assign requested address (99)] for EID 16 [64.13.134.52:80] NSE: TCP 192.168.0.21:1000 > 64.13.134.52:80 | CONNECT NSOCK (0.7240s) Callback: CONNECT ERROR [Cannot assign requested address (99)] for EID 24 [64.13.134.52:80] NSE: TCP 192.168.0.21:1000 > 64.13.134.52:80 | CONNECT NSOCK (0.7240s) Callback: CONNECT ERROR [Cannot assign requested address (99)] for EID 32 [64.13.134.52:80] ... NSE: TCP 192.168.0.21:1000 > 64.13.134.52:80 | CONNECT NSOCK (0.7790s) Callback: SSL-CONNECT ERROR [Cannot assign requested address (99)] for EID 57 [64.13.134.52:80] NSE: TCP 192.168.0.21:1000 > 64.13.134.52:80 | CONNECT NSOCK (0.7850s) Callback: CONNECT SUCCESS for EID 8 [64.13.134.52:80] ... Nmap scan report for scanme.nmap.org (64.13.134.52) Host is up (0.068s latency). PORT STATE SERVICE 80/tcp open http |_html-title: Go ahead and ScanMe! Nmap done: 1 IP address (1 host up) scanned in 0.92 seconds Only some of the NSE connections worked. It's mostly random, and html-title doesn't always win. I'm going to just augment the documentation to state that setting a source port doesn't work for connect scans. David Fifield
Attachment:
bind-sT.diff
Description:
Attachment:
magic_port-spoofsource.diff
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: nmap bug: specified source port not honored in version scanning David Fifield (Aug 11)