Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [nmap-svn] r21941 - nmap/todo
From: "Luis MartinGarcia." <luis.mgarc () gmail com>
Date: Mon, 24 Jan 2011 17:35:24 +0100

On 01/22/2011 05:58 PM, David wrote:
On Sat, Jan 22, 2011 at 01:16:17PM +0100, Luis MartinGarcia wrote:
On Fri, Jan 21, 2011 at 10:58 PM,  <commit-mailer () insecure org> wrote:
Author: david
Date: Fri Jan 21 13:58:55 2011
New Revision: 21941

o [Nping] See whether --echo-client mode really requires root, and
 remove that restriction if not.

Hi David,

Nping does need root access for echo mode (for both client and server
roles). This is because the protocol requires the client to provide
the server with details about the packets that are going to be
transmitted. When Nping is run in unprivileged mode, most of that
information cannot be accessed as it is the OS who crafts network
layer and transport layer headers.

If you need a more elaborate answer, please let me know.
What kind of information? What is the client unable to provide with, for
      nping --echo-client "public" --tcp-connect server
What phase of the connection does it send this information in?

Hi David,

The Nping echo server provides support for multiple concurrent users.
Therefore, it needs to be able to determine, for every packet that is
captured, which user it belongs to. Note that the source IP address is
not enough since the echo service may be used by multiple users behind
the same NAT or by a single users running multiple instances of the
client. For this reason, the server has what I call the "packet matching
engine". The way this works is the following:

1. The client connects to the server.

2. During the session establishment, the client sends all the
information it has about the packets that it is about to send (this
includes IP id, tos, TCP seq, ack, win, flags, ports...). The
information is transmitted in the NEP_PACKET_SPEC message.

3. The server receives the specs and stores them in its list of
currently connected clients.

4. Every time a packet is captured, the server attempts to match the
packet against the list of client specs. Since some of the fields may
change in transit, the matching is done using a "scoring" system. For
every field that matches, a client receives a number of points. At the
end, the client that has the higher score, gets the "echoed packet"
(providing it has exceeded a minimum score).

This mechanism achieves the following:

* If the server receives packets that have nothing to do with the echo
mode, those packets will not reach the minimum score, and therefore,
they won't get echoed to any echo user. This means that a malicious user
cannot use the echo server to steal server's traffic (this is very
important in terms of security).

* A single user can run multiple instances of the Nping echo client, and
the server manages to differentiate all packets and deliver them to the
appropriate process.

* Multiple users using the same NAT can also use the service successfully.

* It works when you want to test if packets with a spoofed IP address
reach the server.

* It tolerates a certain amount of field value modifications performed
by middleboxes.

So, why does the echo client require root access? Because it needs to
know the IP IDs, windows sizes, seq and ack numbers, etc. Otherwise, the
server would not have enough information for the the packet matching
engine. It is true that we could relax these constraints but I don't
think its worth it, as it would reduce the security of the system and
limit the server's multi-user capabilities.


Luis MartinGarcia.

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]