Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nping sends echo requests always to default port '9925' instead of user-defined port #1732

Closed
activehub2 opened this issue Sep 8, 2019 · 1 comment

Comments

@activehub2
Copy link

commented Sep 8, 2019

Setup Details:

$ uname -a
Linux svtap01end1.bec.broadcom.net 3.11.1-200.fc19.x86_64 #1 SMP Sat Sep 14 15:04:51 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
$ nmap -version
Nmap version 6.45 ( http://nmap.org )
Platform: x86_64-redhat-linux-gnu
Compiled with: nmap-liblua-5.2.3 openssl-1.0.1e libpcre-8.32 libpcap-1.4.0 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Started echo server on port 6005

nping --echo-server "public" --echo-port 6005 -e enp0s20u1

Starting Nping 0.6.45 ( http://nmap.org/nping ) at 2019-09-08 09:36 EDT
Packet capture will be performed using network interface enp0s20u1.
Waiting for connections...

From another echo-client machine, I issue TCP echo request on 6005

$nping --echo-client "public" 10.123.8.231 --tcp -p6005 --flags ack

Starting Nping 0.6.45 ( http://nmap.org/nping ) at 2019-09-08 09:39 EDT
Connection failed.

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 0 (0B) | Rcvd: 0 (0B) | Lost: 0 (0.00%)| Echoed: 0 (0B)
Nping done: 1 IP address pinged in 0.00 seconds

The reason for its failure is seen in tcpdump. It sends TCP sync to port '9929' instead of 6005.

$ tcpdump -i enp0s20u2 host 10.123.8.231 and host 10.123.8.110
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s20u2, link-type EN10MB (Ethernet), capture size 65535 bytes
09:39:18.933060 IP 10.123.8.110.48063 > bca12end1.bec.broadcom.net.9929: Flags [S], seq 1341964154, win 29200, options [mss 1460,sackOK,TS val 2280620541 ecr 0,nop,wscale 7], length 0
09:39:18.933317 IP bca12end1.bec.broadcom.net.9929 > 10.123.8.110.48063: Flags [R.], seq 0, ack 1341964155, win 0, length 0

I did the same to 'echo.nmap.org'. I observed that initially it sends few packets in '9929', then it switches to 6005.

$ nping --echo-client "public" echo.nmap.org --tcp -p6005 --flags ack

Starting Nping 0.6.45 ( http://nmap.org/nping ) at 2019-09-08 10:08 EDT
SENT (1.8993s) TCP 10.123.8.110:48289 > 45.33.32.156:6005 A ttl=64 id=55849 iplen=40 seq=3388445608 win=1480
SENT (2.8995s) TCP 10.123.8.110:48289 > 45.33.32.156:6005 A ttl=64 id=55849 iplen=40 seq=3388445608 win=1480
^C
Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 2 (80B) | Rcvd: 0 (0B) | Lost: 2 (100.00%)| Echoed: 0 (0B)
Nping done: 1 IP address pinged in 3.46 seconds

$ tcpdump -i enp0s20u2 host 45.33.32.156
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s20u2, link-type EN10MB (Ethernet), capture size 65535 bytes
10:08:16.133643 IP 10.123.8.110.49291 > scanme.nmap.org.9929: Flags [S], seq 2937137232, win 29200, options [mss 1460,sackOK,TS val 2282357742 ecr 0,nop,wscale 7], length 0
10:08:16.359894 IP scanme.nmap.org.9929 > 10.123.8.110.49291: Flags [S.], seq 4123846735, ack 2937137233, win 65160, options [mss 1460,sackOK,TS val 135671372 ecr 2282357742,nop,wscale 7], length 0
10:08:16.359910 IP 10.123.8.110.49291 > scanme.nmap.org.9929: Flags [.], ack 1, win 229, options [nop,nop,TS val 2282357968 ecr 135671372], length 0
10:08:17.549328 IP scanme.nmap.org.9929 > 10.123.8.110.49291: Flags [P.], seq 1:97, ack 1, win 510, options [nop,nop,TS val 135672560 ecr 2282357968], length 96
10:08:17.549340 IP 10.123.8.110.49291 > scanme.nmap.org.9929: Flags [.], ack 97, win 229, options [nop,nop,TS val 2282359157 ecr 135672560], length 0
10:08:17.551534 IP 10.123.8.110.49291 > scanme.nmap.org.9929: Flags [P.], seq 1:145, ack 97, win 229, options [nop,nop,TS val 2282359160 ecr 135672560], length 144
10:08:17.777816 IP scanme.nmap.org.9929 > 10.123.8.110.49291: Flags [.], ack 145, win 509, options [nop,nop,TS val 135672790 ecr 2282359160], length 0
10:08:17.780398 IP scanme.nmap.org.9929 > 10.123.8.110.49291: Flags [P.], seq 97:209, ack 145, win 509, options [nop,nop,TS val 135672792 ecr 2282359160], length 112
10:08:17.780474 IP 10.123.8.110.49291 > scanme.nmap.org.9929: Flags [P.], seq 145:305, ack 209, win 229, options [nop,nop,TS val 2282359389 ecr 135672792], length 160
10:08:18.007768 IP scanme.nmap.org.9929 > 10.123.8.110.49291: Flags [.], ack 305, win 508, options [nop,nop,TS val 135673020 ecr 2282359389], length 0
10:08:18.008268 IP scanme.nmap.org.9929 > 10.123.8.110.49291: Flags [P.], seq 209:257, ack 305, win 508, options [nop,nop,TS val 135673020 ecr 2282359389], length 48
10:08:18.025700 IP 10.123.8.110.48289 > scanme.nmap.org.6005: Flags [.], ack 2202337094, win 1480, length 0
10:08:18.047424 IP 10.123.8.110.49291 > scanme.nmap.org.9929: Flags [.], ack 257, win 229, options [nop,nop,TS val 2282359656 ecr 135673020], length 0
10:08:19.025903 IP 10.123.8.110.48289 > scanme.nmap.org.6005: Flags [.], ack 1, win 1480, length 0
10:08:19.583582 IP 10.123.8.110.49291 > scanme.nmap.org.9929: Flags [F.], seq 305, ack 257, win 229, options [nop,nop,TS val 2282361192 ecr 135673020], length 0
10:08:19.809455 IP scanme.nmap.org.9929 > 10.123.8.110.49291: Flags [F.], seq 257, ack 306, win 508, options [nop,nop,TS val 135674822 ecr 2282361192], length 0
10:08:19.809466 IP 10.123.8.110.49291 > scanme.nmap.org.9929: Flags [.], ack 258, win 229, options [nop,nop,TS val 2282361418 ecr 135674822], length 0

I believe if someone wants to try echo-server and echo-client on only one port, it should be accomodated accordingly.

@dmiller-nmap

This comment has been minimized.

Copy link

commented Sep 12, 2019

Nping's echo mode requires the client to specify how to connect to the echo server AND what probes to send that it will receive back from the echo server. The -p option specifies what port to send the probes to, but the echo client will still connect on the default echo port, 9929. You need to use the --echo-port or --ep option to declare which port to use for echo server communication.

As an example, perhaps I know that port 1234 works fine through my network boundary, but I want to know what is modifying traffic on port 80. I would set up an echo server internally, listening on port 1234:

nping --echo-server "hunter2" --echo-port 1234 -e eth0

Then I would connect my echo client over port 1234 to receive the echo responses, and send appropriate probes on port 80:

nping --echo-client "hunter2" --echo-port 1234 example.com --tcp -p80
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.