Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Using Teredo to overcome lack of raw socket privileges
From: David Fifield <david () bamsoftware com>
Date: Wed, 20 Jun 2012 18:21:08 -0700

On Wed, May 23, 2012 at 08:57:36PM +0200, Kasper Dupont wrote:
I did a grep through the nmap-6.00 and no such feature seems
to exist so far. And I tried to search the mailing-list
archives, and I found no indication that it has been
considered before, so I'd like to ask what people think of
this idea.

Usually in order to make use of all the features in nmap,
you need to have raw socket privileges. Without it, you are
limited in what you can do. But with IPv6 there is another
option, which I think is worth considering.

The Teredo protocol was originally designed to tunnel IPv6
through IPv4 NAT gateways. It does that by tunnelling all
IPv6 packets through UDP. However since using a UDP port
does not require raw socket privileges, nmap could take
advantage of it as well.

Running a Teredo client and nmap on the same host requires
privileges for both, but the privileges in that case is only
required for the communication between the Teredo client and
nmap running on the same machine. If a Teredo client was
built into nmap, the need for privileges would be reduced to
just being able to make use of a single UDPv4 port.

Obviously the feature does have certain limitations. You are
no longer on the same network segment as the target host, so
any features that require you to be on the same segment will
no longer work. However I guess most of those features would
have required administrator privileges to begin with.
Additionally you have a reduced MTU, and may also be
affected by the reliability of Teredo (or rather lack

But in cases where you are already on a different network
segment from the target and don't have raw socket
privileges, I think such a feature would often be useful.

So my questions are. Did anybody already give it a try? And
would such a feature be welcome in the nmap mainline?

This is an intriguing idea. Nobody has yet proposed it as far as I know.
I can envision difficulties in implementation, but I'd be interested in
seeing a patch. See the function send_ipv6_packet_eth_or_sd in tcpip.cc
for the currently supported ways of sending raw IPv6 packets.

David Fifield
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]