On Fri, 16 Sep 2005 07:56:25 +0200, Sebastian .Rother wrote: >Hello everybody, > >I just wanna know if the nmap-Issue with the -O option will be fixed on >OpenBSD (some day..). > >Just a little scan against hackin9. > ># nmap -P0 -sV -p22,80,443 -T1 -vvv -O www.hakin9.org >Initiating SYN Stealth Scan against host-ip84-243.crowley.pl >(62.111.243.84) [3 ports] at 07:45 >SYN Stealth Scan Timing: About 50.00% done; ETC: 07:46 (0:00:30 remaining) >Discovered open port 22/tcp on 62.111.243.84 >Discovered open port 80/tcp on 62.111.243.84 >The SYN Stealth Scan took 45.74s to scan 3 total ports. >Initiating service scan against 2 services on host-ip84-243.crowley.pl >(62.111.243.84) at 07:45 >The service scan took 7.25s to scan 2 services on 1 host. >For OSScan assuming port 22 is open, 443 is closed, and neither are >firewalled >sendto in send_ip_packet: sendto(3, packet, 60, 0, 62.111.243.84, 16) => >No route to host >Sleeping 15 seconds then retrying >[and some more Timeouts....*wait wait*...] > >The same scan just without the -O option. > ># nmap -P0 -sV -p22,80,443 -T1 -vvv www.hakin9.org > >Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-16 07:49 >CEST >Initiating SYN Stealth Scan against host-ip84-243.crowley.pl >(62.111.243.84) [3 ports] at 07:49 >Discovered open port 80/tcp on 62.111.243.84 >SYN Stealth Scan Timing: About 50.00% done; ETC: 07:50 (0:00:30 remaining) >Discovered open port 22/tcp on 62.111.243.84 >The SYN Stealth Scan took 45.23s to scan 3 total ports. >Initiating service scan against 2 services on host-ip84-243.crowley.pl >(62.111.243.84) at 07:50 >The service scan took 5.76s to scan 2 services on 1 host. >Host host-ip84-243.crowley.pl (62.111.243.84) appears to be up ... good. >Interesting ports on host-ip84-243.crowley.pl (62.111.243.84): >PORT STATE SERVICE VERSION >22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) >80/tcp open http Apache httpd 2.0.52 ((Aurox Linux)) >443/tcp closed https > >Nmap finished: 1 IP address (1 host up) scanned in 51.399 seconds > Raw packets sent: 3 (120B) | Rcvd: 6 (260B) > >I notice this behavior just on OpenBSD and PF dosn't affected my scan. >And as you can see it works absolutly fine without the -O option. >I don't think it's a nmap-related problem but I wasn't able to figure >out what's the problem on OpenBSD exactly. :-/ >I would be happy if somebody (maybe with more experience) could explain >me how and why the -O option leads to "No Route To Host". > >Kind regards, >Sebastian > >p.s. >I used a normal x86 (Duron) with OpenBSD 3.8 (Stable). > >
And here is my result: ====== # nmap -P0 -sV -p22,80,443 -T1 -vvv -O www.hakin9.org Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-16 17:29 EST Initiating SYN Stealth Scan against host-ip84-243.crowley.pl (62.111.243.84) [3 ports] at 17:29 Discovered open port 80/tcp on 62.111.243.84 SYN Stealth Scan Timing: About 50.00% done; ETC: 17:30 (0:00:30 remaining) Discovered open port 22/tcp on 62.111.243.84 The SYN Stealth Scan took 45.37s to scan 3 total ports. Initiating service scan against 2 services on host-ip84-243.crowley.pl (62.111.243.84) at 17:29 The service scan took 6.40s to scan 2 services on 1 host. For OSScan assuming port 22 is open, 443 is closed, and neither are firewalled Insufficient responses for TCP sequencing (5), OS detection may be less accurate Host host-ip84-243.crowley.pl (62.111.243.84) appears to be up ... good. Interesting ports on host-ip84-243.crowley.pl (62.111.243.84): PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) 80/tcp open http Apache httpd 2.0.52 ((Aurox Linux)) 443/tcp closed https Device type: general purpose Running: Linux 2.4.X OS details: Linux 2.4.19 - 2 Fingerprint: T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=N) T3(Resp=N) T4(Resp=N) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=N) T7(Resp=N) PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=F%ULEN=134%DA T=E) Uptime 10.357 days (since Tue Sep 6 09:05:08 2005) TCP Sequence Prediction: Class=unknown class Difficulty=0 (Trivial joke) TCP ISN Seq. Numbers: 7E74D804 7F2BA65A 80EEB6C8 82A844B9 8556A140 IPID Sequence Generation: All zeros Nmap finished: 1 IP address (1 host up) scanned in 626.421 seconds Raw packets sent: 21 (1200B) | Rcvd: 12 (952B) [loki:root] # ====================== Using 3.8beta. I don't know where you got 3.8-stable, AFAIK there is no such animal yet. Whatever you have something other than OpenBSD itself is broken. Unless you broke it? >From the land "down under": Australia. Do we look <umop apisdn> from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
