[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nmap-dev
Subject:    nmap 3.30 on win32 sending naughty packets to Defense Intelligence Agency
From:       "Tom H" <tom () scriptsupport ! co ! uk>
Date:       2003-07-30 22:59:17
[Download RAW message or body]


Hi,

I was watching an ethereal trace of the win32 command line nmap v3.30, while I was scanning a 
local network for open rpc ports using the following command
C:\>nmap -v -p 135 10.0.0.1/24
and noticed that during the scan, nmap sends 2 packets with a destination address
of 11.0.0.3, and that these packets are echo replies. The first is sent almost immediately
and then next after approximately 12 seconds later.
A whois lookup shows that the netblock is owned by Defense Intelligence Agency, 
Washington, DC. Which is interesting, to say the least.

I tested this on a linux box, and the same packets were not observed, so this seems to be
a win32 version issue. I also repeated this experiment a number of times on windows 2000
hosts and noticed the same packets produced.

so what's going on there then? I've included the information about the packet and the
whois result below.

Cheers

T

DUMP FROM FIREWALL OF THE PACKET INFORMATION 

File Version :		5.00.2195.6717
File Description :	NT Kernel & System
File Path :		C:\WINNT\system32\ntoskrnl.exe
Process ID :		8 (Heximal) 8 (Decimal)

Connection origin :	local initiated
Protocol :		ICMP
Local Address : 	10.0.0.3
ICMP Type :		0 (Echo Reply)
ICMP Code : 		0 
Remote Name :			
Remote Address :	11.0.0.3

Ethernet packet details:
Ethernet II (Packet Length: 42)
	Destination: 	00-90-d0-85-97-22
	Source: 	00-01-02-dc-8b-3e
Type: IP (0x0800)
Internet Protocol
	Version: 4
	Header Length: 20 bytes
	Flags:
		.0.. = Don't fragment: Not set
		..0. = More fragments: Not set
	Fragment offset:0
	Time to live: 128
	Protocol: 0x1 (ICMP - Internet Control Message Protocol)
	Header checksum: 0x8c23 (Correct)
	Source: 10.0.0.3
	Destination: 11.0.0.3
Internet Control Message Protocol
	Type: 0 (Echo Reply)
	Code: 0
	Data (4 bytes)

Binary dump of the packet:
0000:  00 90 D0 85 97 22 00 01 : 02 DC 8B 3E 08 00 45 00 | .....".....>..E.
0010:  00 1C 02 50 00 00 80 01 : 23 8C 0A 00 00 03 0B 00 | ...P....#.......
0020:  00 03 00 00 08 3F CB 6C : 2C 54                   | .....?.l,T      

WHOIS LOOKUP OF THE IP ADDRESS

$whois 11.0.0.3

DoD Intel Information Systems (NET-DODIIS)
   Defense Intelligence Agency
   Washington, DC 20301
   US

   Netname: DODIIS
   Netblock: 11.0.0.0 - 11.255.255.255
   Maintainer: DNIC

   Coordinator:
      DoD, Network  (MIL-HSTMST-ARIN)  HOSTMASTER@nic.mil
      (703) 676-1051 (800) 365-3642 (FAX) (703) 676-1749

   Record last updated on 26-Sep-1998.
   Database last updated on  23-Aug-2002 16:56:03 EDT.
The information in this WHOIS database is current as of August 23, 2002,
and has been retained for historical purposes only. For the most current
information, query whois.arin.net or visit http://whois.arin.net.


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org).



[prev in list] [next in list] [prev in thread] [next in thread]