[prev in list] [next in list] [prev in thread] [next in thread]
List: nmap-dev
Subject: nmap 3.30 on win32 sending naughty packets to Defense Intelligence Agency
From: "Tom H" <tom () scriptsupport ! co ! uk>
Date: 2003-07-30 22:59:17
[Download RAW message or body]
Hi,
I was watching an ethereal trace of the win32 command line nmap v3.30, while I was scanning a
local network for open rpc ports using the following command
C:\>nmap -v -p 135 10.0.0.1/24
and noticed that during the scan, nmap sends 2 packets with a destination address
of 11.0.0.3, and that these packets are echo replies. The first is sent almost immediately
and then next after approximately 12 seconds later.
A whois lookup shows that the netblock is owned by Defense Intelligence Agency,
Washington, DC. Which is interesting, to say the least.
I tested this on a linux box, and the same packets were not observed, so this seems to be
a win32 version issue. I also repeated this experiment a number of times on windows 2000
hosts and noticed the same packets produced.
so what's going on there then? I've included the information about the packet and the
whois result below.
Cheers
T
DUMP FROM FIREWALL OF THE PACKET INFORMATION
File Version : 5.00.2195.6717
File Description : NT Kernel & System
File Path : C:\WINNT\system32\ntoskrnl.exe
Process ID : 8 (Heximal) 8 (Decimal)
Connection origin : local initiated
Protocol : ICMP
Local Address : 10.0.0.3
ICMP Type : 0 (Echo Reply)
ICMP Code : 0
Remote Name :
Remote Address : 11.0.0.3
Ethernet packet details:
Ethernet II (Packet Length: 42)
Destination: 00-90-d0-85-97-22
Source: 00-01-02-dc-8b-3e
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x1 (ICMP - Internet Control Message Protocol)
Header checksum: 0x8c23 (Correct)
Source: 10.0.0.3
Destination: 11.0.0.3
Internet Control Message Protocol
Type: 0 (Echo Reply)
Code: 0
Data (4 bytes)
Binary dump of the packet:
0000: 00 90 D0 85 97 22 00 01 : 02 DC 8B 3E 08 00 45 00 | .....".....>..E.
0010: 00 1C 02 50 00 00 80 01 : 23 8C 0A 00 00 03 0B 00 | ...P....#.......
0020: 00 03 00 00 08 3F CB 6C : 2C 54 | .....?.l,T
WHOIS LOOKUP OF THE IP ADDRESS
$whois 11.0.0.3
DoD Intel Information Systems (NET-DODIIS)
Defense Intelligence Agency
Washington, DC 20301
US
Netname: DODIIS
Netblock: 11.0.0.0 - 11.255.255.255
Maintainer: DNIC
Coordinator:
DoD, Network (MIL-HSTMST-ARIN) HOSTMASTER@nic.mil
(703) 676-1051 (800) 365-3642 (FAX) (703) 676-1749
Record last updated on 26-Sep-1998.
Database last updated on 23-Aug-2002 16:56:03 EDT.
The information in this WHOIS database is current as of August 23, 2002,
and has been retained for historical purposes only. For the most current
information, query whois.arin.net or visit http://whois.arin.net.
---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org).
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic