Friday, April 18, 2008

Nmap port scanning

As a network engineer, I find myself using nmap quite a bit. For those of you who don't know what nmap is, nmap.org is a great place to start finding out. :-) But basically, its a TCP/UDP port scanning tool. It works on windows and linux, and even has a pretty GUI(that I dont use...command line all the way!). They have some good tutorials on the site if you don't know how to use it, and in my opinion, every IT professional should know how to use it on a basic level.

Back to my original thought. Was doing some security audits here at work and someone reported that "icmp is open to server X from outside the network." I thought they meant icmp echo(ping). I found that echo is indeed blocked, so they must NOT have meant that. So I remembered that only about 10% of IT people really, actually know their stuff, so I went about trying to reproduce their results.
C:\>nmap -sO X.X.X.X

Starting Nmap 4.60 ( http://insecure.org ) at 2008-04-18 09:56 Eastern Daylight

Time

Interesting protocols on X.X.X.X:

Not shown: 255 open|filtered protocols

PROTOCOL STATE SERVICE

1        open  icmp

And there it was. Nmap reports that icmp is open. There are a bunch of types of icmp other than echo(but echo is by far the most popular ;) ) But why is it reporting icmp as open?

I'm not 100% sure why, but here is my hypothesis:

From http://nmap.org/book/man-port-scanning-techniques.html I know that when doing a UDP scan, the only way to know if a port is closed is if a ICMP Type 3 Code 3 is returned. So I know that if i did a UDP scan and any ports come back "closed" then technically, icmp is "open", since any said closed ports have been noted as closed due to a icmp message from this server.

However, this thought is now fubar'd since a UDP scan returned no closed ports....hmmm. Really, I'm kinda stumped. I need to find a good way to probe all ICMP messages to see whats supported. Cannot find anything on google initially...need to dig a bit more. (nmap does not seem to support icmp "scanning")

No comments:

Post a Comment