Nmap Development mailing list archives
Re: [RFC] path-mtu.nse, host.interface_mtu, etc.
From: David Fifield <david () bamsoftware com>
Date: Wed, 4 Aug 2010 16:33:51 -0600
On Mon, Aug 02, 2010 at 04:24:22AM -0500, Kris Katterjohn wrote:
Soon after fixing the fragmentation options[1], I started playing around and ended up with the attached patch and NSE script. The script's description sums it up pretty well, so here it is: 'Performs simple Path MTU Discovery to the target host. TCP or UDP packets are sent to the host with the DF (don't fragment) bit set and with varying amounts of data. If an ICMP Fragmentation Needed is received, or no reply is received after retransmissions, the amount of data is lowered and another packet is sent. This continues until (assuming no errors occur) a reply from the final host is received, indicating the packet reached the host without being fragmented. Not all MTUs are attempted so as to not expend too much time or network resources. Currently the relatively short list of MTUs to try contains the plateau values from Table 7-1 in RFC 1191, "Path MTU Discovery". Using these values significantly cuts down the MTU search space. On top of that, this list is rarely traversed in whole because: * the MTU of the outgoing interface is used as a starting point, and * we can jump down the list when an intermediate router sending a "can't fragment" message includes its next hop MTU (as described in RFC 1191 and required by RFC 1812)' So now when Nmap enumerates the available interfaces, it'll also store the MTU as retrieved via SIOCGIFMTU or libdnet. NSE scripts can obtain the MTU value as host.interface_mtu, which corresponds to host.interface. This could be useful for future raw IP scripts, or if other link layers are supported like Ethernet currently is. The MTU is also printed in --iflist output: DEV (SHORT) IP/MASK TYPE UP MTU MAC lo (lo) 127.0.0.1/8 loopback up 33578 eth0 (eth0) 192.168.10.6/24 ethernet up 1500 00:0C:76:7D:90:33 sl0 (sl0) 192.168.1.1/32 point2point up 296 I've all ready committed the following related changes which aid the path-mtu script (and potentially any future NSE script utilizing raw IP) but also make sense otherwise: [r19378] Sendto() doesn't retry sending if errno is EMSGSIZE: sleeping for a few seconds won't shorten the packet. [r19379] IP packets are no longer fragmented if the DF bit is set, even if o.fragscan is set. If a packet is built to explicitly avoid fragmentation, honor it. No packets currently built in Nmap appear to set this bit. The script and patch contain (IMO) separately useful additions which happen to be related and somewhat intertwined, so it makes the most sense submitted together. The patch is pretty simple anyway. I've tested this on Linux, NetBSD and Windows XP and all seems well. If there are no objections, I'll commit later this week.
This looks really nice. I always have trouble thinking of new ideas for scripts, but you have these incredibly creative ones. It would be nice if the discovery could use the best timing ping probe like traceroute does. The function pingprobe_score defines an ordering for which probes are "better" than others, and the best probe for each host is kept updated thoughout port scanning and host discovery. But this isn't trivial because NSE would have to know how to send all those specific types, and that information isn't available to NSE currently. I tested the --iflist output and this is what I saw. ************************INTERFACES************************ DEV (SHORT) IP/MASK TYPE UP MTU MAC lo (lo) 127.0.0.1/8 loopback up 16436 eth0 (eth0) 192.168.0.21/24 ethernet up 1500 00:50:BF:16:11:61 The script isn't working for me with SYN probes. I'm not sure what's wrong but tcpdump doesn't show any replies. NSE: Starting path-mtu against 64.13.134.52. Packet Tracing enabled. SENT (3.3080s) TCP 192.168.0.21:51543 > 64.13.134.52:22 S ttl=128 id=0 iplen=1500 seq=1714636915 win=3072 <mss 1460> SENT (6.3140s) TCP 192.168.0.21:59836 > 64.13.134.52:22 S ttl=128 id=0 iplen=1492 seq=424238336 win=3072 <mss 1460> SENT (9.3090s) TCP 192.168.0.21:59836 > 64.13.134.52:22 S ttl=128 id=0 iplen=1492 seq=424238336 win=3072 <mss 1460> SENT (12.3140s) TCP 192.168.0.21:22650 > 64.13.134.52:22 S ttl=128 id=0 iplen=1006 seq=1649760492 win=3072 <mss 1460> SENT (15.3110s) TCP 192.168.0.21:22650 > 64.13.134.52:22 S ttl=128 id=0 iplen=1006 seq=1649760492 win=3072 <mss 1460> SENT (18.3130s) TCP 192.168.0.21:18944 > 64.13.134.52:22 S ttl=128 id=0 iplen=508 seq=1189641421 win=3072 <mss 1460> SENT (21.3120s) TCP 192.168.0.21:18944 > 64.13.134.52:22 S ttl=128 id=0 iplen=508 seq=1189641421 win=3072 <mss 1460> SENT (24.3140s) TCP 192.168.0.21:31822 > 64.13.134.52:22 S ttl=128 id=0 iplen=296 seq=1350490028 win=3072 <mss 1460> SENT (27.3140s) TCP 192.168.0.21:31822 > 64.13.134.52:22 S ttl=128 id=0 iplen=296 seq=1350490028 win=3072 <mss 1460> SENT (30.3150s) TCP 192.168.0.21:24557 > 64.13.134.52:22 S ttl=128 id=0 iplen=68 seq=1102520059 win=3072 <mss 1460> NSE Timing: About 0.00% done SENT (33.3140s) TCP 192.168.0.21:24557 > 64.13.134.52:22 S ttl=128 id=0 iplen=68 seq=1102520059 win=3072 <mss 1460> NSE: Finished path-mtu against 64.13.134.52. Completed NSE at 16:24, 34.38s elapsed Nmap scan report for scanme.nmap.org (64.13.134.52) Host is up, received user-set (0.067s latency). Scanned at 2010-08-04 16:24:07 MDT for 36s PORT STATE SERVICE REASON 21/tcp filtered ftp no-response 22/tcp open ssh syn-ack 23/tcp filtered telnet no-response 25/tcp closed smtp reset 80/tcp open http syn-ack 110/tcp filtered pop3 no-response 139/tcp filtered netbios-ssn no-response 443/tcp filtered https no-response 445/tcp filtered microsoft-ds no-response 3389/tcp filtered ms-term-serv no-response Host script results: |_path-mtu: Error: Unable to determine PMTU (no replies) Final times for host: srtt: 66760 rttvar: 28451 to: 180564 The packets that path-mtu are sending look like 16:30:14.594363 IP (tos 0x0, ttl 128, id 0, offset 0, flags [DF], proto TCP (6), length 1500) 192.168.0.21.51543 > 64.13.134.52.22: Flags [S], seq 1714636915:1714638371, win 3072, options [mss 1460], length 1456 Similar packets sent by Nping get a response. # nping --tcp -p 22 64.13.134.52 --df 16:32:38.135869 IP (tos 0x0, ttl 64, id 33435, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.21.57093 > 64.13.134.52.22: Flags [S], cksum 0x78f4 (correct), seq 2445687109, win 1480, length 0 16:32:38.202608 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 44) 64.13.134.52.22 > 192.168.0.21.57093: Flags [S.], cksum 0x4e5e (correct), seq 33882044, ack 2445687110, win 5840, options [mss 1460], length 0 16:32:38.202700 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.21.57093 > 64.13.134.52.22: Flags [R], cksum 0x7eb9 (correct), seq 2445687110, win 0, length 0 David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [RFC] path-mtu.nse, host.interface_mtu, etc. Kris Katterjohn (Aug 02)
- Re: [RFC] path-mtu.nse, host.interface_mtu, etc. David Fifield (Aug 04)
- Re: [RFC] path-mtu.nse, host.interface_mtu, etc. Kris Katterjohn (Aug 04)
- Re: [RFC] path-mtu.nse, host.interface_mtu, etc. Kris Katterjohn (Aug 21)
- Re: [RFC] path-mtu.nse, host.interface_mtu, etc. David Fifield (Aug 23)
- Re: [RFC] path-mtu.nse, host.interface_mtu, etc. Kris Katterjohn (Aug 23)
- Re: [RFC] path-mtu.nse, host.interface_mtu, etc. Kris Katterjohn (Aug 04)
- Re: [RFC] path-mtu.nse, host.interface_mtu, etc. David Fifield (Aug 04)