Nmap Announce mailing list archives
[PATCH] improvements and a new(?) type of scan
From: Phil <biondi () cartel-securite fr>
Date: Tue, 2 Apr 2002 16:54:49 +0200 (CEST)
Hi all! I've implemented today a new type of scan and some improvements needed by it, that could be used elsewhere. I attached a patch against nmap-2.54BETA32. * The possibility to add comments to the scanned ports. The 4 final port categories (open, closed, filtered, unfiltered) are fine for statistics but it can be useful to know if a port is considered as filtered because of a timeout or if we got an ICMP dest unreachable. This give the posibility to outputs like : Port State Service 22/tcp filtered ssh 23/tcp filtered telnet Blocked (ICMP port-unreachable) 24/tcp filtered priv-mail Blocked (ICMP port-unreachable) 25/tcp filtered smtp Blocked (ICMP port-unreachable) (note that there is always the problem of the ICMP rate limitation : port 22 is blocked, too) * A magic IPID number : At the begining, nmap choose a random magic number. Each time a tcp or udp packet is sent, the IPID is initialised with the dest port number xor-ed with the magic number. Now we're able to find a probable related scan port with an icmp reply, even if the tcp citation has been mangled (see later for application). For tcp, The probability can reach 100% because we can then compare the sequence number (which we assume not mangled) of the citation with the one we know we have sent. One problem is that a victim can easily regroup scan sessions because dport ^ ipid = constant. * A new(?) type of scan : Well, I've never seen any references to this technique nor have I heard anybody speaking about it, so I imagine I have the privilege to give it a name. I've chosen the TTL scan. (Please correct me if I'm wrong). This consists in sending packets as in a normal scan, but with a TTL small enough to only reach the gateway we want to firewalk. If this gateway send ICMP time exceeded, it usually do so only for packets that could have gone through. Else it drops the packet or send an ICMP dest unreach. Here is an example of what we can get (I need 20 hops to reach google) : ./nmap -sS www.google.com -t 19 Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Interesting ports on www.google.com (216.239.51.101): (The 1552 ports scanned but not shown below are in state: filtered) Port State Service 80/tcp UNfiltered http 443/tcp UNfiltered https Nmap run completed -- 1 IP address (1 host up) scanned in 256 seconds This also work well when a machine do DNAT. The ports that are really opened on this machine are shown as open, and the ports that are forwarded (DNATed) are shown as UNfiltered. Another interesting thing that I noticed for DNAT is that, at least for linux routers, ttl is decremented after the tcp header is mangled, but the icmp time exceed citation is not demangled. That means that there is an info leak about the final destination ! That's why the magic ID is needed to find which port was scanned to get this ICMP. We can get those types of results : ./nmap -sS mymachine -p 22,23,666,667 -t 9 Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Interesting ports on AMontsouris-103-1-1-86.abo.wanadoo.fr (193.252.8.86): Port State Service 22/tcp open ssh 23/tcp filtered telnet 666/tcp UNfiltered unknown DNAT to 192.168.8.10:22 667/tcp UNfiltered unknown DNAT to 192.168.26.10:22 Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds Well, this is an early patch. I never looked to the sources of nmap before today. I tested it only on Linux. I may have broken some of the semantic : if you don't use -t, nmap will work as usual, but I don't know the exact result if you use it with -sU. I know it work quite well with -sS and -sA. Please give me feedback. ps: Fyodor, I wanted to break it into 3 functionnal patches, but, well, I'll do it only if you ask me to :) -- Philippe Biondi <biondi@ cartel-securite.fr> Cartel Sécurité Security Consultant/R&D http://www.cartel-securite.fr Phone: +33 1 44 06 97 94 Fax: +33 1 44 06 97 99 PGP KeyID:3D9A43E2 FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2
Attachment:
ttlscan.diff
Description:
-------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- [PATCH] improvements and a new(?) type of scan Phil (Apr 02)
- Re: [PATCH] improvements and a new(?) type of scan Darren Reed (Apr 02)
- Re: [PATCH] improvements and a new(?) type of scan L. Walker (May 22)