Re: nmap bug: specified source port not honored in version scanning

[David Fifield <david () bamsoftware com>]

On Tue, May 18, 2010 at 01:25:26PM -0500, Gabriel Friedmann wrote:
> Bug: Specifying --source-port  for nmap scan does not appear to be honored
> in version scanning/NSE
>
> nmap: Version 5.30BETA1
>
> My host: Linux, CentOS 5.5
>
> Please note that the initial port scan behaves as expected, but version
> scanning will not work due to a dynamically selected source port.

I've looked into this, and I'm afraid that setting the source port can't
be supported nicely for normal connect operations, including connect
scan, version detection, and NSE.

The reason that SYN scan and other raw scans are able to set the source
port is that they bypass the kernel. It's possible to set the source
address for normal connections, but only for one socket at a time. When
we use multiple sockets at once, as we do in every scan phase I can
think of, every connection after the first will fail with "Address
already in use".

This is why Nping prints a warning,

# nping --tcp-connect -g 1000 scanme.nmap.org
Warning: Setting a source port in TCP-Connect mode with 5 rounds may not work after the first round. You may want to do 
just one round (use --count 1).

Nmap prints a warning too,

# nmap -g 1000 -sT scanme.nmap.org
WARNING:  -g is incompatible with the default connect() scan (-sT).  Use a raw scan such as -sS if you want to set the 
source port.

I've attached a patch, bind-sT.diff, that shows what happens when you
try to bind to a source port during a port scan. The output looks like
this.

# nmap -g 1000 -sT scanme.nmap.org
WARNING:  -g is incompatible with the default connect() scan (-sT).  Use a raw scan such as -sS if you want to set the 
source port.

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-11 10:05 MDT
bind success
bind: Address already in use
bind: Address already in use
bind: Address already in use
bind: Address already in use
bind: Address already in use
bind: Address already in use
bind: Address already in use
bind: Address already in use
bind: Address already in use
bind success
bind: Address already in use
bind: Address already in use
bind: Address already in use
bind: Address already in use
bind: Address already in use
bind success
bind: Address already in use
bind: Address already in use
bind: Address already in use
bind: Address already in use

You can see that setting the source port works only intermittently, as
sockets are recycled.

The same problem affects other scan phases. The second attached patch,
magic_port-spoofsource.diff, is a quick hack to make all the connections
that honor -S also try to set the source port.

# nmap -n -Pn -sT -S 192.168.0.21 -g 1000 scanme.nmap.org -p 80 -sC --packet-trace
WARNING:  -S will only affect the source address used in a connect() scan if you specify one of your own addresses.  
Use -sS or another raw scan if you want to completely spoof your source address, but then you need to know what you're 
doing to obtain meaningful results.
WARNING:  -g is incompatible with the default connect() scan (-sT).  Use a raw scan such as -sS if you want to set the 
source port.

Starting Nmap 5.35DC18 ( http://nmap.org ) at 2010-08-11 10:11 MDT
Warning: File ./nmap-services exists, but Nmap is using /usr/share/nmap/nmap-services for security and consistency 
reasons.  set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
CONN (0.6360s) TCP localhost > 64.13.134.52:80 => Operation now in progress
NSOCK (0.7180s) TCP connection requested to 64.13.134.52:80 (IOD #1) EID 8
NSOCK (0.7190s) TCP connection requested to 64.13.134.52:80 (IOD #2) EID 16
NSOCK (0.7220s) TCP connection requested to 64.13.134.52:80 (IOD #3) EID 24
NSOCK (0.7230s) TCP connection requested to 64.13.134.52:80 (IOD #4) EID 32
NSOCK (0.7230s) nsock_loop() started (timeout=50ms). 4 events pending
NSOCK (0.7240s) Callback: CONNECT ERROR [Cannot assign requested address (99)] for EID 16 [64.13.134.52:80]
NSE: TCP 192.168.0.21:1000 > 64.13.134.52:80 | CONNECT
NSOCK (0.7240s) Callback: CONNECT ERROR [Cannot assign requested address (99)] for EID 24 [64.13.134.52:80]
NSE: TCP 192.168.0.21:1000 > 64.13.134.52:80 | CONNECT
NSOCK (0.7240s) Callback: CONNECT ERROR [Cannot assign requested address (99)] for EID 32 [64.13.134.52:80]
...
NSE: TCP 192.168.0.21:1000 > 64.13.134.52:80 | CONNECT
NSOCK (0.7790s) Callback: SSL-CONNECT ERROR [Cannot assign requested address (99)] for EID 57 [64.13.134.52:80]
NSE: TCP 192.168.0.21:1000 > 64.13.134.52:80 | CONNECT
NSOCK (0.7850s) Callback: CONNECT SUCCESS for EID 8 [64.13.134.52:80]
...
Nmap scan report for scanme.nmap.org (64.13.134.52)
Host is up (0.068s latency).
PORT   STATE SERVICE
80/tcp open  http
|_html-title: Go ahead and ScanMe!

Nmap done: 1 IP address (1 host up) scanned in 0.92 seconds

Only some of the NSE connections worked. It's mostly random, and
html-title doesn't always win.

I'm going to just augment the documentation to state that setting a
source port doesn't work for connect scans.

David Fifield

Attachment: bind-sT.diff
Description:

Attachment: magic_port-spoofsource.diff
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/