nmap security problem

aq_mishu · 08-24-2007, 10:47 AM

I was trying to check a host say (www.mydomain.com) using nmap. There basically i should get something like...

Code:

[root@test root]# nmap www.mydomain.com

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-08-24 21:39 UTC
Interesting ports on www.mydomain.com (2.2.2.2):
(The 1656 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
3306/tcp open  mysql

Nmap finished: 1 IP address (1 host up) scanned in 0.177 seconds

But i get something like this:...

Code:

[root@test root]# nmap www.adomain.com

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-08-24 21:43 UTC
sendto in send_ip_packet: sendto(3, packet, 40, 0, 3.3.3.3, 16) => Operation not permitted
sendto in send_ip_packet: sendto(3, packet, 40, 0, 3.3.3.3, 16) => Operation not permitted
sendto in send_ip_packet: sendto(3, packet, 40, 0, 3.3.3.3, 16) => Operation not permitted
sendto in send_ip_packet: sendto(3, packet, 40, 0, 3.3.3.3, 16) => Operation not permitted
sendto in send_ip_packet: sendto(3, packet, 40, 0, 3.3.3.3, 16) => Operation not permitted
sendto in send_ip_packet: sendto(3, packet, 40, 0, 3.3.3.3, 16) => Operation not permitted
caught SIGINT signal, cleaning up

This seems to me that the server is very secured and i also tried other options like -sS -sU -v -O -D A.B.C.D

But same result... if this tells me that that remote server is a secured server (since i cant scan that even), then i wanna make my one like this... so others cant scan me using the same way... how??

bsdunix · 08-24-2007, 10:53 AM

See if this thread helps:

http://seclists.org/nmap-dev/2005/q2/0038.html

and this one:

http://www.linuxquestions.org/questi...d.php?t=322152

aq_mishu · 08-24-2007, 11:21 AM

Tried... read... but output is zero...

well, let me explain more... I am sitting on 192.168.0.10 and i was doing nmap on 172.16.0.10

Now when i nmap myself, (192.168.0.10) it gives me results as usual...

but when i nmap 172.16.0.10, it gives me
sendto in send_ip_packet: sendto(3, packet, 40, 0, 172.168.0.10, 16) => Operation not permitted

Now, I dont know why this (172.16.0.10) is responding like this...(it responds to ping) but if this is a good sign of security (because i cant scan that 172.16.0.10) then how can i make my machine (192.168.0.10) exactly like that one (172.168.0.10) so others cant scan me....

bsdunix · 08-24-2007, 02:07 PM

According to the changelog, that was supposed to be fixed in version 3.81:

"Changed IP protocol scan (-sO) so that it sends valid ICMP, TCP, and
UDP headers when scanning protocols 1, 6, and 17, respectively. An
empty IP header is still sent for all other protocols. This should
prevent the error messages such as "sendto in send_ip_packet:
sendto(3, packet, 20, 0, 192.31.33.7, 16) => Operation not
permitted" that Linux (and perhaps other systems) would give when
they try to interpret the raw packet. This also makes it more
likely that these protocols will elicit a response, proving that the
protocol is "open"."

http://insecure.org/nmap/changelog.html

Your using version 3.81, try a newer and see what happens.

aq_mishu · 09-01-2007, 01:38 PM

Trying ....

aq_mishu · 09-01-2007, 01:49 PM

Code:

[root@node1 root]# nmap -sS -sU -O -v -P0 -D 192.168.0.1 'www.mydomain.com'

Starting Nmap 4.20 ( http://insecure.org ) at 2007-09-02 00:46 BDT
caught SIGSEGV signal, cleaning up
Aborted
[root@node1 root]#

This was found when i did the nmap to my server. Also when i do only "nmap www.mydomain.com" i get the same. And same for any other machines. what is it for??

Mishu~~

bsdunix · 09-01-2007, 04:35 PM

http://en.wikipedia.org/wiki/SIGSEGV

Basically you've got a program that's not behaving correctly.

I compiled from source and installed version 4.20 on my Slackware 11.0 box and was able to use nmap without problem.

Did you build 4.20 from source? If so, were there any unusual errors? If you installed from source, there is a rpm version on the download page.

http://download.insecure.org/nmap/di....20-1.i386.rpm