ports/154947: Nmap 5.51 cannot scan targets over MPD's PPTP VPN link

Sayetsky Anton vsjcfm at gmail.com
Mon Feb 21 19:50:10 UTC 2011 

>Number:         154947
>Category:       ports
>Synopsis:       Nmap 5.51 cannot scan targets over MPD's PPTP VPN link
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 21 19:50:09 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Sayetsky Anton
>Release:        8.2-RELEASE
>Organization:
>Environment:
FreeBSD jason.localdomain 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Sun Feb 20 19:50:02 EET 2011     root at jason.localdomain:/tmp/obj/usr/src/sys/JASON  amd64
>Description:
Nmap 5.51 on 8.2-RELEASE cannot scan any hosts that are routed by MPD's PPTP link, when running as root. But when running as normal user, all seems to be ok. Also, nmap will scan targets over an ethernet interface.
Here is some info about my system:

root at jason:~# pkg_info | egrep "mpd|libpdel|nmap|lua"
libpdel-0.5.3_4     Packet Design multi-purpose C library for embedded applicat
lua-5.1.4_5         Small, compilable scripting language providing easy access
mpd-5.5             Multi-link PPP daemon based on netgraph(4)
nmap-5.51           Port scanning utility for large networks

root at jason:~# cat /etc/make.conf | grep -v "^#"
CPUTYPE?=core2
CFLAGS= -O2 -fno-strict-aliasing -pipe
COPTFLAGS= -O2 -pipe
DOC_LANG=       en_US.ISO8859-1 ru_RU.KOI8-R
PERL_VERSION=5.10.1

root at jason:~# cat /etc/src.conf
WITHOUT_AMD=
WITHOUT_APM=
WITHOUT_ASSERT_DEBUG=
WITHOUT_ATM=
WITHOUT_BIND_MTREE=
WITHOUT_BIND_NAMED=
WITH_BIND_SIGCHASE=
WITHOUT_BLUETOOTH=
WITHOUT_BSNMP=
WITHOUT_CALENDAR=
WITHOUT_CTM=
WITHOUT_CVS=
WITHOUT_FLOPPY=
WITHOUT_FREEBSD_UPDATE=
WITHOUT_GAMES=
WITHOUT_GCOV=
WITHOUT_GDB=
WITHOUT_GPIB=
WITHOUT_HTML=
WITH_IDEA=
WITHOUT_INET6=
WITHOUT_IPFILTER=
WITHOUT_IPX=
WITHOUT_JAIL=
WITHOUT_KERBEROS=
WITHOUT_LPR=
WITHOUT_NDIS=
WITHOUT_NIS=
WITHOUT_PF=
WITHOUT_PORTSNAP=
WITHOUT_PPP=
WITHOUT_PROFILE=
WITHOUT_QUOTAS=
WITHOUT_RCS=
WITHOUT_ROUTED=
WITHOUT_SHAREDOCS=
WITHOUT_WIRELESS=
WITHOUT_ZFS=

root at jason:~# netstat -rn | grep default
default            ng0                US          0     2809    ng0

root at jason:~# ifconfig ng0
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1456
        inet 193.xxx.xx.xx --> 10.0.128.1 netmask 0xffffffff

root at jason:~# route get scanme.nmap.org
   route to: scanme.nmap.org
destination: default
       mask: default
  interface: ng0
      flags: <UP,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1456         1         0

root at jason:~# ping -c 3 scanme.nmap.org
PING scanme.nmap.org (64.13.134.52): 56 data bytes
64 bytes from 64.13.134.52: icmp_seq=0 ttl=54 time=210.955 ms
64 bytes from 64.13.134.52: icmp_seq=1 ttl=54 time=212.526 ms
64 bytes from 64.13.134.52: icmp_seq=2 ttl=54 time=212.890 ms

--- scanme.nmap.org ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 210.955/212.124/212.890/0.840 ms

root at jason:~# nmap -F scanme.nmap.org
Starting Nmap 5.51 ( http://nmap.org ) at 2011-02-21 21:34 EET
nexthost: failed to determine route to scanme.nmap.org (64.13.134.52)
QUITTING!

root at jason:~# nping scanme.nmap.org
Starting Nping 0.5.51 ( http://nmap.org/nping ) at 2011-02-21 21:34 EET
Failed to determine route to host 64.13.134.52. Skipping it...
Execution aborted. Nping needs at least one valid target to operate.

jason at jason:~$ id
uid=1001(jason) gid=1001(jason) groups=1001(jason),0(wheel)

jason at jason:~$ nping scanme.nmap.org
Starting Nping 0.5.51 ( http://nmap.org/nping ) at 2011-02-21 21:35 EET
SENT (0.0025s) Starting TCP Handshake > scanme.nmap.org:80 (64.13.134.52:80)
RECV (0.2160s) Handshake with scanme.nmap.org:80 (64.13.134.52:80) completed
SENT (1.0041s) Starting TCP Handshake > scanme.nmap.org:80 (64.13.134.52:80)
RECV (1.2185s) Handshake with scanme.nmap.org:80 (64.13.134.52:80) completed
SENT (2.0065s) Starting TCP Handshake > scanme.nmap.org:80 (64.13.134.52:80)
RECV (2.2210s) Handshake with scanme.nmap.org:80 (64.13.134.52:80) completed
SENT (3.0095s) Starting TCP Handshake > scanme.nmap.org:80 (64.13.134.52:80)
RECV (3.2245s) Handshake with scanme.nmap.org:80 (64.13.134.52:80) completed
SENT (4.0130s) Starting TCP Handshake > scanme.nmap.org:80 (64.13.134.52:80)
RECV (4.2242s) Handshake with scanme.nmap.org:80 (64.13.134.52:80) completed

Max rtt: 214.926ms | Min rtt: 211.175ms | Avg rtt: 213.684ms
TCP connection attempts: 5 | Successful connections: 5 | Failed: 0 (0.00%)
Tx time: 4.01157s | Tx bytes/s: 99.71 | Tx pkts/s: 1.25
Rx time: 4.22274s | Rx bytes/s: 47.36 | Rx pkts/s: 1.18
Nping done: 1 IP address pinged in 4.22 seconds

jason at jason:~$ nmap -F scanme.nmap.org
Starting Nmap 5.51 ( http://nmap.org ) at 2011-02-21 21:35 EET
Nmap scan report for scanme.nmap.org (64.13.134.52)
Host is up (0.22s latency).
Not shown: 95 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
25/tcp  closed smtp
53/tcp  open   domain
80/tcp  open   http
113/tcp closed auth
Nmap done: 1 IP address (1 host up) scanned in 18.24 seconds

root at jason:~# nmap -e ng0 scanme.nmap.org
Starting Nmap 5.51 ( http://nmap.org ) at 2011-02-21 21:37 EET
nexthost: failed to determine route to scanme.nmap.org (64.13.134.52)
QUITTING!
>How-To-Repeat:
Fresh install Nmap 4.51 on the 8.1-RELEASE, install mpd, create PPTP VPN internet connection, then try to scan any target behind this PPTP link.
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list