Nmap Development mailing list archives

Re: Fragmentation scan

From: Andy Lutomirski <luto () myrealbox com>
Date: Wed, 06 Oct 2004 17:32:51 -0700

Fyodor wrote:

Recent (maybe 2.4+ -- anyone know exactly when it started?) Linux
kernels seem to defragment the packets Nmap sends before sticking them
on the wire :(.  Sadly, raw sockets just don't seem to give Nmap the
level of control it needs on many platforms (Solaris has issues with
adding the don't fragment bit, and Windows SP2 cripples the whole
interfaces).  For this reason, and due to a desire for cool local
network host enumeration techniques such as ARP scan, I think I want
to move Nmap to writing raw ethernet frames in preference to raw
sockets when dealing with ethernet-compatible devices (includes 802.11
wireless devices).  That should resolve many of these problems,
hopefully without adding a bunch of its own.  I haven't researched the
best way to move forward yet -- maybe libdnet, maybe write my own
library.  It needs to work well on Windows, since that is the platform
with the most pathetic raw sockets implementation.

How 'bout just borrowing code from pcapsend.c -- we're already doingthis anyway, and the logic shouldn't be different between Windows andother OS's. The nasty part will be ARP. If you're willing to wrap allrecieve calls in something that can pick ARPs off the wire and to assurethat we nmap doesn't block except when recieving then this can be solvednicely in one thread and our Windows problems get solved for free.Otherwise I'll code up an ARP reciever thread, hopefully in anon-Windows-specific manner, which I was planning to do anyway, and thewhole mess could be transplanted into the core code.

FWIW, it could be handy to support MAC spoofing of scans. I would havehad a good white-hat use for that a couple days ago. An interestingblack-hat use comes to mind as well, but I'll leave that to everyone'simagination.

So long as I'm asking, is STL allowed in the core yet? I was planningon using it in the Windows code (where STL is "always" present), butI'll avoid it in pcapsend if that might cause problems later.


--Andy

---------------------------------------------------------------------

For help using this (nmap-dev) mailing list, send a blank email tonmap-dev-help () insecure org . List archive: http://seclists.org

Current thread:

Fragmentation scan Alan Jenkins (Oct 06)
- Re: Fragmentation scan Fyodor (Oct 06)
  - Re: Fragmentation scan Andy Lutomirski (Oct 06)
    - Re: Fragmentation scan Fyodor (Oct 06)
  - Re: Fragmentation scan Alan Jenkins (Oct 07)
- Re: Fragmentation scan Martin Mačok (Oct 07)
- <Possible follow-ups>
- Re: Fragmentation scan Alan Jenkins (Oct 17)