[patch] *alpha* ip options support for nmap

[majek04 <nmap () forest one pl>]

Hi guys,


I created option for nmap, that adds alpha support for
sending packet with some ip options set.

http://ai.pjwstk.edu.pl/~majek/private/nmap/nmap-4.10-ipopts.diff

If you don't know what ip options are, you
could read rfc 791, page 16-23.

The most common ip options are:
        Record Route
        Loose Source Route
        Strict Source Route
        Internet Timestamp


** Why RecordRoute can be useful?
It can be treated as lightweight version of traceroute.
Because it sends only one packet, but it has only 9
slots for hops that can be recorded.

Record route packet can be also created using 'ping -R'.
But ping gives only 8 cells for next hops. And nmap can give 9 :)
(normal ping is filling first slot with local machine ip)
Second advantage is that nmap can send packet with RR
to some udp/tcp port. (normal ping is sending only icmp packet)
So it's possible to gather information to hosts that have icmp blocked;

Explanation stolen from hping3:
"Record route. Includes the RECORD_ROUTE option in each packet sent and
displays the route buffer of returned packets.  Note  that  the  IP
header is only large enough for nine such routes. Many hosts ignore or
discard this option. Also note that using hping you are able to use
record route even if target host filter ICMP. Record route is an IP
option, not an ICMP option, so you can use record route option even in
TCP and UDP mode."

Example:
# ./nmap --ip-options "\x01\x07\x27\x04\x00*36" -P0 -sS -p80 somehost
Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-06-23 01:46
Got ip options:
RR{ [bad ptr=40] 172.20.1.2 148.81.175.158 148.81.255.218
195.187.244.193 195.85.195.19 212.76.35.110 <2 hops censored>} EOL
Interesting ports on somehost:
PORT   STATE SERVICE
80/tcp open  http


** Why Strict/Loose SourceRoute can be useful?
"Source Routing is a technique whereby the sender of a packet can
specify the route that a packet should take through the network."

It can be very useful. Believe me :)
Nowadays it's disabled by almost every modern router.
Windows can have problems with this option: MS06-032/CVE-2006-2379.

** Why Timestamp can be useful?
Well, you can get time since midnight from up to 9 nearest hops.
If you forget what time is it, this option seems to give
you answer. Okay, it also gives some other information.
In my opinion the information how many timestamps were not recorded
is very interesting. It can be read similar to TTL field.
If admin is changing ttl value on his router, than from
ip timestamp you can read how many true hops are to target.

Basic example, just timestamp request:
# ./nmap --ip-options "\x44\x24\x05\x00\x00*32" -P0 -sS -p80 somehost
Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-06-23 01:29
Got ip options:
TM{ [bad ptr=37][11 hosts not recorded] -2122870674 85126786 84580589
84580602 84580597 84580598 84580664 84580663}
Interesting ports on somehost:
PORT   STATE SERVICE
80/tcp open  http

Ouch, eleven hosts were not recorded, 8 hops were recorded.
More complicated example, timestamp and ip address:
#./nmap --ip-options "\x44\x24\x05\x01\x00*32" -P0 -sS -p80 somehost
Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-06-23 01:34
Got ip options:
TM{ [bad ptr=37][15 hosts not recorded] 10.0.1.2@-2122839231
172.20.1.1@85441233 148.81.255.218@84895027 195.187.244.193@84895039}
Interesting ports on somehost:
PORT   STATE SERVICE
80/tcp open  http

The most complicated. We want to know what time is on hops after
195.187.244.193 (Yep, it's possible):
# ./nmap --ip-options "\x44\x24\x05\x03\195\187\244\193\x00*4\x00*24"
-P0 -sS -p80 somehost
Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-06-23 01:38
Got ip options:
TM{ [bad ptr=37][6 hosts not recorded] 195.187.244.193@85119712
0.0.0.0@85398836 0.0.0.0@85119643 0.0.0.0@85398837}
Interesting ports on somehost:
PORT   STATE SERVICE
80/tcp open  http

Or even more h4ckers way, using 127.0.0.1 :) :
#./nmap --ip-options
"\x44\x24\x05\x03\195\187\244\193\x00*4\127\0\0\1\x00*4\127\0\0\1\x00*4\127\0\0\1\x00*4" 

-P0 -sS -p80 somehost
Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-06-23 01:39
Got ip options:
TM{ [bad ptr=37][6 hosts not recorded] 195.187.244.193@85154879
127.0.0.1@85434008 127.0.0.1@85154809 127.0.0.1@85434008}
Interesting ports on somehost:
PORT   STATE SERVICE
80/tcp open  http


You can also try to guess local ip of some router on the way. Let's try
192.168.0.1
# ./nmap --ip-options "\x44\x24\x05\x03\192\168\0\1\x00*4\x00*24" -P0
-sS -p80 somehost
Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-06-23 01:43
Got ip options:
TM{ [bad ptr=37][6 hosts not recorded] 192.168.0.1@85665985
0.0.0.0@85386743 0.0.0.0@85386743 0.0.0.0@85665985}
Interesting ports on somehost:
PORT   STATE SERVICE
80/tcp open  http

Wow, someone responded for ip 192.168.0.1 :)



** Usage: parsing user input of --ip-options:
user input              |       data sent in 'options' of ip packet
    // \x?? is parsed as hexadecimal
"\xDE\xAD\xBE\xEF"      ->      [0xDE,0xAD,0xBE,0xEF]   
"\x01\x01\x01\x01"      ->      [0x01,0x01,0x01,0x01]
"\x01*4"                ->      [0x01,0x01,0x01,0x01]
    // \??? is parsed as decimal
"\127*4"                ->      [0x7F,0x7F,0x7F,0x7F]   




** Warning #1:
I changed implementation of core nmap functions
build_tcp_raw, build_udp_raw, build_icmp_raw. I hope there
aren't any bugs, but I can't guarantee anything. It's alpha
version :)

** Warning #2:
Watch out using tcpdump while playing with ip options. It sometimes
have problems with counting proper tcp checksums, or it fails to
recognize ip options properly.

** Warning #3:
This patch is very basic. User output is very limited
(ip options of received packet are printed only just
after receiving this packet, in final version they
should be printed in normal output, probably per every
port (or host?))

** Warning #4:
Some providers block packets with ip options set.


Marek Majkowski





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev