Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Re: [Paper] New Idle Scan Techniques
From: Mathias Morbitzer <m.morbitzer () student ru nl>
Date: Mon, 27 May 2013 11:24:55 +0200 (CEST)


My name is Moe, I'm currently working on my thesis to finish my studies in computing security.
In my work, I analyzed if the TCP Idle Scan can be ported from IPv4 to IPv6. To tell you the answer: With some 
modifications, yes, it can! 

An article and my final thesis with the details are planned to be published in summer/fall. 

But enough of the advertisement. After creating a proof of concept with scapy, I would like to implement the TCP Idle 
Scan in IPv6 in Nmap, but I have a hard time on deciding which implementation method to choose: Implementing it 
directly in the Nmap-core or creating a lua-script. 
For me, the more logical would be the core, but then I found this post from Henri in which he patched Nmap so that he 
can create the RST rate limit scan with NSE. (Which is somehow similar to the TCP Idle Scan in IPv6) 

Now, my question is: Which way of implementing my scan would you recommend?  


2011/4/21 Fyodor <fyodor () insecure org>:

   David just sent me a link to a research paper which discloses a couple
   novel port scanning techinques which are related to the Nmap idle scan
   (-sI) in that they are side channel attacks which don't require
   sending packets to the target from your real IP address.  One of the
   techniques is based on TCP RST rate limiting and the other uses SYN
   cache behavior.  Here is the paper:



This paper is really cool!

I gave a try at implementing the first technique (TCP RST rate
limiting) within NSE.

I have patched NSE to do so, adding a "scanrule" and a -sK option to
enable script port scanning. This patch eases the development of
prototypes to evaluate such new scanning techniques and could also be
interesting to develop port scanning modules relying upon application
layers. Such modules could leverage the NSE libraries for the
corresponding protocols (scanner-ftp-bounce.nse would be nice, instead
of having it in the core for instance).

Both the script and the patch are just PoC but I would be glad to
improve them if someone like the idea. Feedback welcome!


Henri Doreau |  Greenbone Networks GmbH  |  http://www.greenbone.net
Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]