PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-22 15:39:03 +00:00
Code Issues Projects Releases Wiki Activity

When handling ICMP ping probe replies, make sure we match up with the

Browse Source 
right type of probe (0 with 8, 14 with 13, 18 with 17). With the new
default ping, I was scanning a network where an echo reply would
mistakenly be interpreted as a response to a timestamp request, even
though that host didn't respond to timestamp requests. That host would
become the global ping host, and all its probes would be dropped,
slowing the scan way down. A ping scan of a /24 took over 1,000 seconds
when it should have taken about 10.
This commit is contained in:
david
2009-05-27 22:08:24 +00:00
parent fb7456950c
commit 439e991985
2 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG
View File

@@ -8,6 +8,10 @@ o There is a new default ping probe set: -PE -PS443 -PA80 -PP. In
ping probes are now sent in order of effectiveness (-PE first) so ping probes are now sent in order of effectiveness (-PE first) so
that less likely probes may not have to be sent. [David/Fyodor] that less likely probes may not have to be sent. [David/Fyodor]
o Fixed a bug where an ICMP echo, timestamp, or address mask reply
could be matched up with the wrong ICMP probe if more than one ICMP
probe type was being sent (as with the new default ping). [David]
o [Zenmap] Fixed a crash, introduced in 4.85BETA4, that happened when o [Zenmap] Fixed a crash, introduced in 4.85BETA4, that happened when
searching scan results by date. [David] The error message was searching scan results by date. [David] The error message was
File "zenmapGUI\SearchGUI.pyo", line 816, in set_date File "zenmapGUI\SearchGUI.pyo", line 816, in set_date

7
scan_engine.cc
View File

@@ -4190,7 +4190,7 @@ static int get_ping_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
if (current_reason == ER_DESTUNREACH) if (current_reason == ER_DESTUNREACH)
current_reason = ping->code + ER_ICMPCODE_MOD; current_reason = ping->code + ER_ICMPCODE_MOD;
/* Echo reply, Timestamp reply, or Address Mask Reply */ /* Echo reply, Timestamp reply, or Address Mask Reply. RFCs 792 and 950. */
if (USI->ptech.rawicmpscan && (ping->type == 0 || ping->type == 14 || ping->type == 18)) { if (USI->ptech.rawicmpscan && (ping->type == 0 || ping->type == 14 || ping->type == 18)) {
memset(&sin, 0, sizeof(sin)); memset(&sin, 0, sizeof(sin));
sin.sin_addr.s_addr = ip->ip_src.s_addr; sin.sin_addr.s_addr = ip->ip_src.s_addr;
@@ -4226,6 +4226,11 @@ static int get_ping_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
/* Ensure the connection info matches. */ /* Ensure the connection info matches. */
if (hss->target->v4sourceip()->s_addr != ip->ip_dst.s_addr) if (hss->target->v4sourceip()->s_addr != ip->ip_dst.s_addr)
continue; continue;
/* Don't match a timestamp request with an echo reply, for example. */
if ((ping->type == 0 && probe->pspec()->pd.icmp.type != 8) ||
(ping->type == 14 && probe->pspec()->pd.icmp.type != 13) ||
(ping->type == 18 && probe->pspec()->pd.icmp.type != 17))
continue;
/* Sometimes we get false results when scanning localhost with /* Sometimes we get false results when scanning localhost with
-p- because we scan localhost with src port = dst port and -p- because we scan localhost with src port = dst port and