Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[SCRIPT] traceroute tools: 0trace and RecordRoute + nsock source port specification

From: majek04 <majek04+nmap-dev () gmail com>
Date: Sat, 18 Aug 2007 05:18:43 +0200
Good news everyone!

I'm really happy to see my code being included in mainline.
It's a good time to reveal more NSE scripts.

This time two traceroute-related scripts:
* 0trace is implementation of Lcamtuf's 0trace[1] idea.
The basic idea, is to inject packets with small TTLs into
established tcp/ip connection. If the packet will be dropped
by some  firewall after NAT we'll receive Icmp error message,
and there will be  different destination ip inside the icmp payload.

* Ip RecordRoute is an option at IP level. It records up to nine hops
in the packets way. The advantage is that it's done using single ip packet.

As a bonus, I provided support for specifying source port to
nsock library. The discussion is in [2].
After applying my patch you can select source port for the connection.
For example in lua it could be like this:
  conn:connect(host.ip, port.number, "udp", 53)


Changes:
 - source port support for nsock and NSE
 - new 0trace script
 - new recordroute script
 - (old) updated p0f and promiscuous scripts
 - fixes to current nse-pcap (for example fix for garbage collector)
 - some packet parsing functions are exported to lualib/packet.lua
 - new "unregister" function included in nse-pcap api
 - new interface for sending raw ip packets dnet.ip_send()


Sample use of 0trace and recordroute:
# ./nmap -n -sS -p22 --script=0trace.nse,recordroute.nse reddit.com
Starting Nmap 4.22SOC3 ( http://insecure.org )
Interesting ports on 208.96.53.70:
PORT    STATE    SERVICE
22/tcp  open     ssh
|_ ip RR: X.X.32.57  X.X.32.20  X.X.32.233  64.125.23.5  64.125.23.14
64.125.0.166  64.125.0.165  64.125.0.172  64.125.0.179
|_ 0trace: X.X.167.252  X.X.32.1  X.X.32.1  213.186.32.234
213.186.32.34  213.186.32.234  64.125.23.6  64.125.23.9  64.125.27.225
 64.125.31.186  64.125.30.226  64.125.26.33  64.125.30.217
64.124.196.6  208.96.31.16  ack:208.96.53.70

Patch against 4.22SOC4 can be found at [3].

Patch was successfully tested on WinXP and Linux. Can anyone
confirm it's working on Mac?

[1] http://seclists.org/fulldisclosure/2007/Jan/0145.html
[2] http://seclists.org/nmap-dev/2007/q2/index.html#311
[3] http://ai.pjwstk.edu.pl/~majek/private/nmap/nse-pcap/nmap-4.22S4-nsepcap-update2.diff

I'm waiting for feedback!

Cheers!
 Marek Majkowski

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: