Re: Nmap -O... will it be fixed some day?

Fri, 16 Sep 2005 04:02:08 -0700 

Rod.. Whitworth schrieb:


On Fri, 16 Sep 2005 07:56:25 +0200, Sebastian .Rother wrote:


Hello everybody,
I just wanna know if the nmap-Issue with the -O option will be fixed on OpenBSD (some day..). 

Just a little scan against hackin9.

# nmap -P0 -sV -p22,80,443 -T1 -vvv -O www.hakin9.org
Initiating SYN Stealth Scan against host-ip84-243.crowley.pl (62.111.243.84) [3 ports] at 07:45 
SYN Stealth Scan Timing: About 50.00% done; ETC: 07:46 (0:00:30 remaining)
Discovered open port 22/tcp on 62.111.243.84
Discovered open port 80/tcp on 62.111.243.84
The SYN Stealth Scan took 45.74s to scan 3 total ports.
Initiating service scan against 2 services on host-ip84-243.crowley.pl (62.111.243.84) at 07:45 
The service scan took 7.25s to scan 2 services on 1 host.
For OSScan assuming port 22 is open, 443 is closed, and neither are firewalled sendto in send_ip_packet: sendto(3, packet, 60, 0, 62.111.243.84, 16) => No route to host 
Sleeping 15 seconds then retrying
[and some more Timeouts....*wait wait*...]

The same scan just without the -O option.

# nmap -P0 -sV -p22,80,443 -T1 -vvv www.hakin9.org
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-16 07:49 CEST Initiating SYN Stealth Scan against host-ip84-243.crowley.pl (62.111.243.84) [3 ports] at 07:49 
Discovered open port 80/tcp on 62.111.243.84
SYN Stealth Scan Timing: About 50.00% done; ETC: 07:50 (0:00:30 remaining)
Discovered open port 22/tcp on 62.111.243.84
The SYN Stealth Scan took 45.23s to scan 3 total ports.
Initiating service scan against 2 services on host-ip84-243.crowley.pl (62.111.243.84) at 07:50 
The service scan took 5.76s to scan 2 services on 1 host.
Host host-ip84-243.crowley.pl (62.111.243.84) appears to be up ... good.
Interesting ports on host-ip84-243.crowley.pl (62.111.243.84):
PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 3.9p1 (protocol 1.99)
80/tcp  open   http    Apache httpd 2.0.52 ((Aurox Linux))
443/tcp closed https

Nmap finished: 1 IP address (1 host up) scanned in 51.399 seconds
             Raw packets sent: 3 (120B) | Rcvd: 6 (260B)

I notice this behavior just on OpenBSD and PF dosn't affected my scan.
And as you can see it works absolutly fine without the -O option.
I don't think it's a nmap-related problem but I wasn't able to figure out what's the problem on OpenBSD exactly. :-/ I would be happy if somebody (maybe with more experience) could explain me how and why the -O option leads to "No Route To Host". 

Kind regards,
Sebastian

p.s.
I used a normal x86 (Duron) with OpenBSD 3.8 (Stable).




And here is my result:
======
#  nmap -P0 -sV -p22,80,443 -T1 -vvv -O www.hakin9.org

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-16
17:29 EST
Initiating SYN Stealth Scan against host-ip84-243.crowley.pl
(62.111.243.84) [3 ports] at 17:29
Discovered open port 80/tcp on 62.111.243.84
SYN Stealth Scan Timing: About 50.00% done; ETC: 17:30 (0:00:30
remaining)
Discovered open port 22/tcp on 62.111.243.84
The SYN Stealth Scan took 45.37s to scan 3 total ports.
Initiating service scan against 2 services on host-ip84-243.crowley.pl
(62.111.243.84) at 17:29
The service scan took 6.40s to scan 2 services on 1 host.
For OSScan assuming port 22 is open, 443 is closed, and neither are
firewalled
Insufficient responses for TCP sequencing (5), OS detection may be less
accurate
Host host-ip84-243.crowley.pl (62.111.243.84) appears to be up ...
good.
Interesting ports on host-ip84-243.crowley.pl (62.111.243.84):
PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 3.9p1 (protocol 1.99)
80/tcp  open   http    Apache httpd 2.0.52 ((Aurox Linux))
443/tcp closed https
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.19 - 2
Fingerprint:
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=N)
T4(Resp=N)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=N)
T7(Resp=N)
PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=F%ULEN=134%DA
T=E)

Uptime 10.357 days (since Tue Sep  6 09:05:08 2005)
TCP Sequence Prediction: Class=unknown class
                        Difficulty=0 (Trivial joke)
TCP ISN Seq. Numbers: 7E74D804 7F2BA65A 80EEB6C8 82A844B9 8556A140
IPID Sequence Generation: All zeros

Nmap finished: 1 IP address (1 host up) scanned in 626.421 seconds
              Raw packets sent: 21 (1200B) | Rcvd: 12 (952B)
[loki:root]
#
======================

Using 3.8beta. I don't know where you got 3.8-stable, AFAIK there is no
such animal yet.
Whatever you have something other than OpenBSD itself is broken. Unless
you broke it?

From the land "down under": Australia.
Do we look <umop apisdn> from up over?

Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.



That suprises me... :-/
I installed 3.8-beta even on my router and I can't figure out why it isn't working. 
Btw: "stable" -> Related to the CVS (-rOPENBSD_3_8).
So it's more the "upcomming" stable of course. :-D

Well but thanks for your answer.
Now I've realy to do a little investigation at my private LAN (even PF was disabled..crazy). 


Kind regards,
Sebastian

Reply via email to