Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Nmap Network Scanning

Echo Mode

The "Echo Mode" is a novel technique implemented by Nping which lets users see how network packets change in transit, from the host where they originated to the target machine. Basically, the Echo mode turns Nping into two different pieces: the Echo server and the Echo client. The Echo server is a network service that has the ability to capture packets from the network and send a copy ("echo them") to the originating client through a side TCP channel. The Echo client is the part that generates such network packets, transmits them to the server, and receives their echoed version through a side TCP channel that it has previously established with the Echo server.

This scheme lets the client see the differences between the packets that it sends and what is actually received by the server. By having the server send back copies of the received packets through the side channel, things like NAT devices become immediately apparent to the client because it notices the changes in the source IP address (and maybe even source port). Other devices like those that perform traffic shaping, changing TCP window sizes or adding TCP options transparently between hosts, turn up too.

The Echo mode is also useful for troubleshooting routing and firewall issues. Among other things, it can be used to determine if the traffic generated by the Nping client is being dropped in transit and never gets to its destination or if the responses are the ones that don't get back to it.

Internally, client and server communicate over an encrypted and authenticated channel, using the Nping Echo Protocol (NEP), whose technical specification can be found in http://nmap.org/svn/nping/docs/EchoProtoRFC.txt

The following paragraphs describe the different options available in Nping's Echo mode.

--ec <passphrase>, --echo-client <passphrase> (Run Echo client)

This option tells Nping to run as an Echo client. <passphrase> is a sequence of ASCII characters that is used used to generate the cryptographic keys needed for encryption and authentication in a given session. The passphrase should be a secret that is also known by the server, and it may contain any number of printable ASCII characters. Passphrases that contain whitespace or special characters must be enclosed in double quotes.

When running Nping as an Echo client, most options from the regular raw probe modes apply. The client may be configured to send specific probes using flags like --tcp, --icmp or --udp. Protocol header fields may be manipulated normally using the appropriate options (e.g. --ttl, --seq, --icmp-type, etc.). The only exceptions are ARP-related flags, which are not supported in Echo mode, as protocols like ARP are closely related to the data link layer and its probes can't pass through different network segments.

--es <passphrase>, --echo-server <passphrase> (Run Echo server)

This option tells Nping to run as an Echo server. <passphrase> is a sequence of ASCII characters that is used used to generate the cryptographic keys needed for encryption and authentication in a given session. The passphrase should be a secret that is also known by the clients, and it may contain any number of printable ASCII characters. Passphrases that contain whitespace or special characters must be enclosed in double quotes. Note that although it is not recommended, it is possible to use empty passphrases, supplying --echo-server "". However, if what you want is to set up an open Echo server, it is better to use option --no-crypto. See below for details.

--ep <port>, --echo-port <port> (Set Echo TCP port number)

This option asks Nping to use the specified TCP port number for the Echo side channel connection. If this option is used with --echo-server, it specifies the port on which the server listens for connections. If it is used with --echo-client, it specifies the port to connect to on the remote host. By default, port number 9929 is used.

--nc, --no-crypto (Disable encryption and authentication)

This option asks Nping not to use any cryptographic operations during an Echo session. In practical terms, this means that the Echo side channel session data will be transmitted in the clear, and no authentication will be performed by the server or client during the session establishment phase. When --no-crypto is used, the passphrase supplied with --echo-server or --echo-client is ignored.

This option must be specified if Nping was compiled without openSSL support. Note that, for technical reasons, a passphrase still needs to be supplied after the --echo-client or --echo-server flags, even though it will be ignored.

The --no-crypto flag might be useful when setting up a public Echo server, because it allows users to connect to the Echo server without the need for any passphrase or shared secret. However, it is strongly recommended to not use --no-crypto unless absolutely necessary. Public Echo servers should be configured to use the passphrase "public" or the empty passphrase (--echo-server "") as the use of cryptography does not only provide confidentiality and authentication but also message integrity.

--once (Serve one client and quit)

This option asks the Echo server to quit after serving one client. This is useful when only a single Echo session wants to be established as it eliminates the need to access the remote host to shutdown the server.

--safe-payloads (Zero application data before echoing a packet)

This option asks the Echo server to erase any application layer data found in client packets before echoing them. When the option is enabled, the Echo server parses the packets received from Echo clients and tries to determine if they contain data beyond the transport layer. If such data is found, it is overwritten with zeroes before transmitting the packets to the appropriate Echo client.

Echo servers can handle multiple simultaneous clients running multiple echo sessions in parallel. In order to determine which packet needs to be echoed to which client and through which session, the Echo server uses an heuristic algorithm. Although we have taken every security measure that we could think of to prevent that a client receives an echoed packet that it did not generate, there is always a risk that our algorithm makes a mistake and delivers a packet to the wrong client. The --safe-payloads option is useful for public echo servers or critical deployments where that kind of mistake cannot be afforded.

The following examples illustrate how Nping's Echo mode can be used to discover intermediate devices.

Example 18.2. Discovering NAT devices

    # nping --echo-client "public" echo.nmap.org --udp 

    Starting Nping ( http://nmap.org/nping )
    SENT (1.0970s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28 
    CAPT (1.1270s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28 
    RCVD (1.1570s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16619 iplen=56 
    [...]
    SENT (5.1020s) UDP 10.1.20.128:53 > 178.79.165.17:40125 ttl=64 id=32523 iplen=28 
    CAPT (5.1335s) UDP 80.38.10.21:45657 > 178.79.165.17:40125 ttl=54 id=32523 iplen=28 
    RCVD (5.1600s) ICMP 178.79.165.17 > 10.1.20.128 Port unreachable (type=3/code=3) ttl=49 id=16623 iplen=56 
     
    Max rtt: 60.628ms | Min rtt: 58.378ms | Avg rtt: 59.389ms
    Raw packets sent: 5 (140B) | Rcvd: 5 (280B) | Lost: 0 (0.00%)| Echoed: 5 (140B) 
    Tx time: 4.00459s | Tx bytes/s: 34.96 | Tx pkts/s: 1.25
    Rx time: 5.00629s | Rx bytes/s: 55.93 | Rx pkts/s: 1.00
    Nping done: 1 IP address pinged in 6.18 seconds
    

The output clearly shows the presence of a NAT device in the client's local network. Note how the captured packet (CAPT) differs from the SENT packet: the source address for the original packets is in the reserved 10.0.0.0/8 range, while the address seen by the server is 80.38.10.21, the Internet side address of the NAT device. The source port was also modified by the device. The line starting with RCVD corresponds to the responses generated by the TCP/IP stack of the machine where the Echo server is run.

Example 18.3. Discovering a transparent proxy

    # nping --echo-client "public" echo.nmap.org --tcp -p80

    Starting Nping ( http://nmap.org/nping )
    SENT (1.2160s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480 
    RCVD (1.2180s) TCP 178.79.165.17:80 > 10.0.1.77:41659 SA ttl=128 id=13177 iplen=44  seq=3647106954 win=16384 <mss 1460>
    SENT (2.2150s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480 
    SENT (3.2180s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480 
    SENT (4.2190s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480 
    SENT (5.2200s) TCP 10.0.1.77:41659 > 178.79.165.17:80 S ttl=64 id=3317 iplen=40  seq=567704200 win=1480 
     
    Max rtt: 2.062ms | Min rtt: 2.062ms | Avg rtt: 2.062ms
    Raw packets sent: 5 (200B) | Rcvd: 1 (46B) | Lost: 4 (80.00%)| Echoed: 0 (0B) 
    Tx time: 4.00504s | Tx bytes/s: 49.94 | Tx pkts/s: 1.25
    Rx time: 5.00618s | Rx bytes/s: 9.19 | Rx pkts/s: 0.20
    Nping done: 1 IP address pinged in 6.39 seconds
    

In this example, the output is a bit more tricky. The absence of error messages shows that the Echo client has successfully established an Echo session with the server. However, no CAPT packets can be seen in the output. This means that none of the transmitted packets reached the server. Interestingly, a TCP SYN-ACK packet was received in response to the first TCP-SYN packet (and also, it is known that the target host does not have port 80 open). This behavior reveals the presence of a transparent web proxy cache server (which in this case is an old MS ISA server).

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]