Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Hackers: [PATCH] improvements and a new(?) type of scan

[PATCH] improvements and a new(?) type of scan

From: Phil <biondi_at_cartel-securite.fr>
Date: Tue, 2 Apr 2002 16:54:49 +0200 (CEST)

Hi all!

I've implemented today a new type of scan and some improvements needed by
it, that could be used elsewhere. I attached a patch against nmap-2.54BETA32.

* The possibility to add comments to the scanned ports.
  The 4 final port categories (open, closed, filtered, unfiltered)
  are fine for statistics but it can be useful to know if a port
  is considered as filtered because of a timeout or if we
  got an ICMP dest unreachable.

This give the posibility to outputs like :
Port State Service
22/tcp filtered ssh
23/tcp filtered telnet Blocked (ICMP port-unreachable)
24/tcp filtered priv-mail Blocked (ICMP port-unreachable)
25/tcp filtered smtp Blocked (ICMP port-unreachable)

(note that there is always the problem of the ICMP rate limitation :
port 22 is blocked, too)

* A magic IPID number :
  At the begining, nmap choose a random magic number. Each time a tcp
  or udp packet is sent, the IPID is initialised with the dest port number
  xor-ed with the magic number.
  Now we're able to find a probable related scan port with an icmp reply,
  even if the tcp citation has been mangled (see later for application).
  For tcp, The probability can reach 100% because we can then compare the
  sequence number (which we assume not mangled) of the citation with the
  one we know we have sent.

  One problem is that a victim can easily regroup scan sessions because
  dport ^ ipid = constant.

* A new(?) type of scan :
  Well, I've never seen any references to this technique nor have I heard
  anybody speaking about it, so I imagine I have the privilege to give it
  a name. I've chosen the TTL scan. (Please correct me if I'm wrong).

  This consists in sending packets as in a normal scan, but with a TTL
  small enough to only reach the gateway we want to firewalk.

  If this gateway send ICMP time exceeded, it usually do so only for
  packets that could have gone through. Else it drops the packet or send
  an ICMP dest unreach.

Here is an example of what we can get (I need 20 hops to reach google) :

./nmap -sS www.google.com -t 19

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on www.google.com (216.239.51.101):
(The 1552 ports scanned but not shown below are in state: filtered)
Port State Service
80/tcp UNfiltered http
443/tcp UNfiltered https

Nmap run completed -- 1 IP address (1 host up) scanned in 256 seconds

  This also work well when a machine do DNAT. The ports that are really
  opened on this machine are shown as open, and the ports that are
  forwarded (DNATed) are shown as UNfiltered.
  Another interesting thing that I noticed for DNAT is that, at least for
  linux routers, ttl is decremented after the tcp header is mangled, but
  the icmp time exceed citation is not demangled. That means that there
  is an info leak about the final destination !
  That's why the magic ID is needed to find which port was scanned to
  get this ICMP.

We can get those types of results :

./nmap -sS mymachine -p 22,23,666,667 -t 9

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on AMontsouris-103-1-1-86.abo.wanadoo.fr (193.252.8.86):
Port State Service
22/tcp open ssh
23/tcp filtered telnet
666/tcp UNfiltered unknown DNAT to 192.168.8.10:22
667/tcp UNfiltered unknown DNAT to 192.168.26.10:22

Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds

Well, this is an early patch. I never looked to the sources of nmap before
today. I tested it only on Linux. I may have broken some of the semantic :
if you don't use -t, nmap will work as usual, but I don't know the exact
result if you use it with -sU. I know it work quite well with -sS and -sA.

Please give me feedback.

ps: Fyodor, I wanted to break it into 3 functionnal patches, but, well,
    I'll do it only if you ask me to :) 

-- 
Philippe Biondi <biondi@ cartel-securite.fr> Cartel Sécurité
Security Consultant/R&D                      http://www.cartel-securite.fr
Phone: +33 1 44 06 97 94                     Fax: +33 1 44 06 97 99
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).

Received on Apr 02 2002
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos