Home page logo

nmap-dev logo Nmap Development mailing list archives

Using Teredo to overcome lack of raw socket privileges
From: Kasper Dupont <kasperd () nsphf 23 may 2012 kasperd net>
Date: Wed, 23 May 2012 21:58:02 +0200

I did a grep through the nmap-6.00 and no such feature seems
to exist so far. And I tried to search the mailing-list
archives, and I found no indication that it has been
considered before, so I'd like to ask what people think of
this idea.

Usually in order to make use of all the features in nmap,
you need to have raw socket privileges. Without it, you are
limited in what you can do. But with IPv6 there is another
option, which I think is worth considering.

The Teredo protocol was originally designed to tunnel IPv6
through IPv4 NAT gateways. It does that by tunnelling all
IPv6 packets through UDP. However since using a UDP port
does not require raw socket privileges, nmap could take
advantage of it as well.

Running a Teredo client and nmap on the same host requires
privileges for both, but the privileges in that case is only
required for the communication between the Teredo client and
nmap running on the same machine. If a Teredo client was
built into nmap, the need for privileges would be reduced to
just being able to make use of a single UDPv4 port.

Obviously the feature does have certain limitations. You are
no longer on the same network segment as the target host, so
any features that require you to be on the same segment will
no longer work. However I guess most of those features would
have required administrator privileges to begin with.
Additionally you have a reduced MTU, and may also be
affected by the reliability of Teredo (or rather lack

But in cases where you are already on a different network
segment from the target and don't have raw socket
privileges, I think such a feature would often be useful.

So my questions are. Did anybody already give it a try? And
would such a feature be welcome in the nmap mainline?

(It seems my previous attempt at posting this message got
lost due to me accidentally sending it from a different
address than the one I subscribed to the list with.)

Kasper Dupont -- Rigtige m├Žnd skriver deres egne backupprogrammer
#define _(_)"d.%.4s%."_"2s" /* This is my email address */
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]