ports/116778: security/nmap ping-scan misses some hosts
Mark D. Foster
mark at foster.cc
Tue Oct 2 04:30:07 UTC 2007
The following reply was made to PR ports/116778; it has been noted by GNATS.
From: "Mark D. Foster" <mark at foster.cc>
To: Daniel Roethlisberger <daniel at roe.ch>
Cc: bug-followup at FreeBSD.org
Subject: Re: ports/116778: security/nmap ping-scan misses some hosts
Date: Mon, 01 Oct 2007 21:22:53 -0700
Daniel Roethlisberger wrote:
> Can you verify that it's actually nmap that is either not sending all
> the ICMP Echo Requests you'd expect, or not correctly registering all
> returning ICMP Echo Replies, using tcpdump on all the involved boxes?
>
> Also, please compare what you see on the wire with what nmap claims to
> be doing (enable verbose mode and packet tracing).
>
>
It seems that despite specifying -PE nmap is solely relying on ARP to
determine who is up or not. Also it is not seeing the ARP replies when a
range is used. I'm attaching tcpdump output for just when a range is
used. (e.g. tcpdump -s0 -n -w /tmp/sonar.pcap host 192.168.1.1 or host
192.168.1.2 or host 192.168.1.3)
/usr/local/etc/dansguardian root at sonar>nmap -sP -n -PE --packet-trace
192.168.1.1
Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-01 21:04 PDT
SENT (0.0290s) ARP who-has 192.168.1.1 tell 192.168.1.11
SENT (0.1300s) ARP who-has 192.168.1.1 tell 192.168.1.11
RCVD (0.0300s) ARP reply 192.168.1.1 is-at 00:0F:B5:1F:89:D2
Host 192.168.1.1 appears to be up.
MAC Address: 00:0F:B5:1F:89:D2 (Netgear)
Nmap finished: 1 IP address (1 host up) scanned in 0.825 seconds
/usr/local/etc/dansguardian root at sonar>nmap -sP -n -PE --packet-trace
192.168.1.3
Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-01 21:04 PDT
SENT (0.0290s) ARP who-has 192.168.1.3 tell 192.168.1.11
SENT (0.1300s) ARP who-has 192.168.1.3 tell 192.168.1.11
RCVD (0.0300s) ARP reply 192.168.1.3 is-at 00:B0:D0:7E:6C:7E
Host 192.168.1.3 appears to be up.
MAC Address: 00:B0:D0:7E:6C:7E (Dell Computer)
Nmap finished: 1 IP address (1 host up) scanned in 0.825 seconds
/usr/local/etc/dansguardian root at sonar>nmap -sP -n -PE --packet-trace
192.168.1.1-3
Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-01 21:04 PDT
SENT (0.0290s) ARP who-has 192.168.1.1 tell 192.168.1.11
SENT (0.0290s) ARP who-has 192.168.1.2 tell 192.168.1.11
SENT (0.0290s) ARP who-has 192.168.1.3 tell 192.168.1.11
SENT (0.1300s) ARP who-has 192.168.1.1 tell 192.168.1.11
SENT (0.1300s) ARP who-has 192.168.1.2 tell 192.168.1.11
SENT (0.1300s) ARP who-has 192.168.1.3 tell 192.168.1.11
RCVD (0.0290s) ARP reply 192.168.1.2 is-at 00:B0:D0:47:76:48
Host 192.168.1.2 appears to be up.
MAC Address: 00:B0:D0:47:76:48 (Dell Computer)
Nmap finished: 3 IP addresses (1 host up) scanned in 0.834 seconds
NOTE: If you examine sonar.pcap you will see that all 3 hosts replied,
not just 192.168.1.2
~ root at franco>nmap -sP -n -PE --packet-trace 192.168.1.1
Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-01 21:11 PDT
SENT (0.0150s) ARP who-has 192.168.1.1 tell 192.168.1.3
SENT (0.1240s) ARP who-has 192.168.1.1 tell 192.168.1.3
RCVD (0.0150s) ARP reply 192.168.1.1 is-at 00:0F:B5:1F:89:D2
Host 192.168.1.1 appears to be up.
MAC Address: 00:0F:B5:1F:89:D2 (Netgear)
Nmap finished: 1 IP address (1 host up) scanned in 0.439 seconds
~ root at franco>nmap -sP -n -PE --packet-trace 192.168.1.2
Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-01 21:11 PDT
SENT (0.0140s) ARP who-has 192.168.1.2 tell 192.168.1.3
SENT (0.1150s) ARP who-has 192.168.1.2 tell 192.168.1.3
RCVD (0.0140s) ARP reply 192.168.1.2 is-at 00:B0:D0:47:76:48
Host 192.168.1.2 appears to be up.
MAC Address: 00:B0:D0:47:76:48 (Dell Computer)
Nmap finished: 1 IP address (1 host up) scanned in 0.430 seconds
~ root at franco>nmap -sP -n -PE --packet-trace 192.168.1.3
Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-01 21:11 PDT
Host 192.168.1.3 appears to be up.
Nmap finished: 1 IP address (1 host up) scanned in 0.013 seconds
~ root at franco>nmap -sP -n -PE --packet-trace 192.168.1.3
Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-01 21:11 PDT
Host 192.168.1.3 appears to be up.
Nmap finished: 1 IP address (1 host up) scanned in 0.013 seconds
~ root at franco>nmap -sP -n -PE --packet-trace 192.168.1.1-3
Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-01 21:11 PDT
SENT (0.0140s) ARP who-has 192.168.1.1 tell 192.168.1.3
SENT (0.0140s) ARP who-has 192.168.1.2 tell 192.168.1.3
SENT (0.1230s) ARP who-has 192.168.1.1 tell 192.168.1.3
SENT (0.1230s) ARP who-has 192.168.1.2 tell 192.168.1.3
RCVD (0.0140s) ARP reply 192.168.1.2 is-at 00:B0:D0:47:76:48
Host 192.168.1.2 appears to be up.
MAC Address: 00:B0:D0:47:76:48 (Dell Computer)
Host 192.168.1.3 appears to be up.
Nmap finished: 3 IP addresses (2 hosts up) scanned in 0.479 seconds
NOTE: franco's IP is 192.168.1.3. Examine franco.pcap you will see that
the other 2 hosts gave ARP reply.
Here is the output from linux.
root at monk:~# nmap -sP -n -PE --packet-trace 192.168.1.1-3
Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-01 21:20 PDT
SENT (0.0230s) ARP who-has 192.168.1.1 tell 192.168.1.9
SENT (0.0230s) ARP who-has 192.168.1.2 tell 192.168.1.9
SENT (0.0230s) ARP who-has 192.168.1.3 tell 192.168.1.9
RCVD (0.0230s) ARP reply 192.168.1.2 is-at 00:B0:D0:47:76:48
RCVD (0.0230s) ARP reply 192.168.1.3 is-at 00:B0:D0:7E:6C:7E
RCVD (0.0240s) ARP reply 192.168.1.1 is-at 00:0F:B5:1F:89:D2
Host 192.168.1.1 appears to be up.
MAC Address: 00:0F:B5:1F:89:D2 (Netgear)
Host 192.168.1.2 appears to be up.
MAC Address: 00:B0:D0:47:76:48 (Dell Computer)
Host 192.168.1.3 appears to be up.
MAC Address: 00:B0:D0:7E:6C:7E (Dell Computer)
Nmap finished: 3 IP addresses (3 hosts up) scanned in 0.204 seconds
Hope this helps.
--
Said one park ranger, 'There is considerable overlap between the
intelligence of the smartest bears and the dumbest tourists.'
Mark D. Foster, CISSP <mark at foster.cc> http://mark.foster.cc/
More information about the freebsd-ports-bugs
mailing list