Re: Nmap ICMP Scan Technical Question

[Robin Wood <robin@digi.ninja>]

On a Linux box, if you are root it will do a SYN scan, if you are a
non-root user it will do a full connect scan.

There is more info here:

https://nmap.org/book/man-port-scanning-techniques.html

Robin

On Fri, 26 Jun 2020, 19:01 Andrew Morrison via dev, <dev () nmap org> wrote:

> Oh.
>
> So unless explicitly turned off or you specify a different scan type, Nmap
> will default to using a SYN stealth scan every time. Ok that makes sense. I
> was over here trying to figure out how ICMP was fingerprinting services ha.
>
> Much appreciated sir for the response!
>
> *Sent from my Verizon Motorola Smartphone*
> On Jun 18, 2020 14:52, Daniel Miller <bonsaiviking () gmail com> wrote:
>
> Andrew,
>
> Thanks for the question. Nmap is, at its heart, a port scanner. This means
> that unless you tell it otherwise, it will always perform a port scan. You
> have added several different -P* options to tell Nmap how to perform host
> discovery, but unless you add the -sn option to tell it to skip the port
> scan phase, it will act as though you have provided the -sS option. So it
> is not the ICMP probes that are determining port state, but actual TCP
> probes.
>
> Dan
>
> On Sat, Jun 13, 2020 at 7:06 PM Andrew Morrison via dev <dev () nmap org>
> wrote:
>
> I have a technical question on how Nmap uses different ICMP ping and probe
> types to return information on remote hosts that I hope you would do me a
> huge favor in answering.  I was recently running a segmentation test
> (authorized, of course) to prepare for a PCI assessment and I've found that
> this particular network has been hardened against using an Idle scan (I
> tried to use a shared-service anti-virus managment server open to both CDE
> and non-CDE networks as the zombie) by a stateful firewall, so I went to
> look for more scanning options.  I've read about the PP and PM switches
> before, but I've actually never used it because other scan techniques
> usually got me the information I was looking for.
>
> Let's say my scan command was: nmap -PE -PP -PM -oN ICMP-discovery-probes
> -iL in-scope.txt
>
> I understand the -PP switch can return the local timestamp on the remote
> host and the -PM switch can return the netmask of said remote host.  I know
> I'm scanning Windows machines, so I expected to see ports like 135, 445 and
> such open if a scan was successful, and I did see those, among many others,
> but it didn't return so many open ports that I can safely assume some
> firewall or other device is affecting the scan output or filtering the
> requests.  The scan even returned some ports that were explicitly closed.
> See an excerpt:
> 21/tcp    open  ftp
> 22/tcp    open  ssh
> 25/tcp    open  smtp
> 135/tcp   open  msrpc
> 445/tcp   open  microsoft-ds
> 1100/tcp  open  mctp
> 2006/tcp  closed invokator
> 2191/tcp  closed tvbus
> 2800/tcp  closed acc-raid
> 3389/tcp  open  ms-wbt-server
> 8192/tcp  open  sophos
> 8193/tcp  open  sophos
> 8194/tcp  open  sophos
> 8400/tcp  open  cvd
> 8402/tcp  open  abarsd
> 49152/tcp open  unknown
> 49153/tcp open  unknown
> 49154/tcp open  unknown
> 49155/tcp open  unknown
>
> When reading through your host discovery man page on the Nmap website, the
> section under ICMP Ping Types only says that code 14 and 18 probes
> "discloses that the host is available".  So my question is: I don't
> understand how Nmap leverages the ICMP probes to identify these open
> ports.  I was under the assumption that ICMP sends a specific code and
> expects a specific response code from the remote host.  Can you perhaps
> shed a little light on this one?
>
> *Andrew*
> *@enoire3*
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/