Nmap Development mailing list archives
Re: [PATCH] TCP Idle Scan in IPv6
From: Paulino Calderon <paulino () calderonpale com>
Date: Mon, 03 Jun 2013 11:59:52 -0500
On 06/03/2013 10:59 AM, Mathias Morbitzer wrote:
Good work! I will test it out during the week and get back to you with the results.Hi everybody, I managed to port the TCP Idle Scan to IPv6! My masterthesis as well as a shorter paper on the details will come soon, but meanwhile let me sum up the details here: In IPv6, we don't have an IPID in the header. But, there is an extension header for fragmentation, which provides an IPID. So, all we need to do is forcing the idle host to append this extension header for fragmentation each time he is sending a packet. RFC 1981 says if an ICMPv6 Packet Too Big message is received, and an MTU smaller than the IPv6 minimum MTU is announced within, the receiving host should simply append a fragmentation header to each IPv6 packet on the path. So we can achieve the TCP Idle Scan in IPv6 by first sending a ping with a lot of data to the idle host. When the idle host replies, we tell it in an ICMPv6 packet Too Big message that the reply is to huge, we only support a maximum MTU of less than 1280 bytes, which is the IPv6 minimum MTU. From now on, all IPv6 packets being sent from the idle host to us will have an extension header for fragmentation, which contains an IPID. Now we execute the same step for the path from the idle host to the target. We spoof a ping from the target to the idle host, and after the idle host sent the answer, we send an ICMPv6 packet Too Big message that the MTU of the target is smaller than 1280 bytes, so from now on the idle host will also append the fragmentation header there. Afterwards, the TCP Idle Scan in IPv6 works the same way as in IPv4 - just that the IPID is not directly in the IPv6 header, but in the extension header for fragmentation. Additional cool stuff: Compared to IPv4, the IPID is not used (and incremented) for every IPv6 packet sent, but only for those which use the extension header for fragmentation. This means that our idle host actually does not need to be idle, it just shouldn't send fragmented packages! I hope my explanation is not too short and understandable :) However, to show that it really works, I also tried to implement the scan in Nmap. To do so, I hacked idle_scan.cc, and used most of the stuff which was already there. What I had to add was the sending of the pings and the ICMPv6 packet too big messages for the initialization, and I changed the parts where the IPID is accessed, so that it works for IPv4 and IPv6. The usage is the same as using the scan in IPv4: -sI <idlehost:probeport> for the idlescan, plus add the -6 switch for IPv6. I tested my patch with Windows 7 Ultimate, and Linux 3.8 (but there is does not work, the IPIDs are on a per-host-base). The patch is not perfect yet. There are still some things which need to be improved, but I wanted to get a first feedback to know if i can continue working on it this way. Also, my C/C++ knowledge is not the best, so let me know if I made bigger mistakes. Cheers, Moe PS: I'm on a conference from Wednesday to Friday, so I won't be able to read my mails._______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Re: [Paper] New Idle Scan Techniques Mathias Morbitzer (May 27)
- Re: Re: [Paper] New Idle Scan Techniques David Fifield (May 27)
- Re: [Paper] New Idle Scan Techniques Mathias Morbitzer (May 28)
- [PATCH] TCP Idle Scan in IPv6 Mathias Morbitzer (Jun 03)
- Re: [PATCH] TCP Idle Scan in IPv6 Paulino Calderon (Jun 03)
- Re: [PATCH] TCP Idle Scan in IPv6 Luis MartinGarcia (Jun 03)
- Re: [PATCH] TCP Idle Scan in IPv6 Mathias Morbitzer (Jun 03)
- Re: [PATCH] TCP Idle Scan in IPv6 David Fifield (Jun 29)
- Re: [PATCH] TCP Idle Scan in IPv6 David Fifield (Jun 29)
- Re: Re: [Paper] New Idle Scan Techniques David Fifield (May 27)