Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [PATCH] TCP Idle Scan in IPv6
From: Mathias Morbitzer <m.morbitzer () student ru nl>
Date: Mon, 3 Jun 2013 22:04:06 +0200 (CEST)

Thanks for the feedback.

I'm aware of the draft RFC. Since a few weeks, its actually not a draft anymore:
https://tools.ietf.org/html/rfc6946

However, it is for sure that this draft helped me developing the idea. On Thursday, I'm hoping to meet Fernando in 
person to discuss each others work. 

I also did some additional research on which hosts assign their IPID in IPv6 randomly/incrementaly, a screenshot of the 
results is attached. (Can't access them differently right now)


Looking forward to hear from your experiences. Next week I will have time again, then I would like to improve the bits 
in my code which are not very nice yet. 


Cheers,
Mathias

----- Original Message -----
From: "Luis MartinGarcia" <luis.mgarc () gmail com>
To: "Mathias Morbitzer" <m.morbitzer () student ru nl>
Cc: dev () nmap org
Sent: Monday, 3 June, 2013 7:19:04 PM
Subject: Re: [PATCH] TCP Idle Scan in IPv6
Hi Mathias,

I haven't tested your patch, but if what you describe is true, it
looks
like an interesting discovery, congratulations!

You might be aware of it already, but just in case you are not,
Fernando
Gont just published a draft RFC on the security implications of
predictable
fragment fields in IPv6. You may find it interesting.

http://tools.ietf.org/id/draft-ietf-6man-predictable-fragment-id-00.txt

Regards,

Luis MartinGarcia.


On Mon, Jun 3, 2013 at 5:59 PM, Mathias Morbitzer
<m.morbitzer () student ru nl
wrote:

Hi everybody,

I managed to port the TCP Idle Scan to IPv6!

My masterthesis as well as a shorter paper on the details will come
soon,
but meanwhile let me sum up the details here:

In IPv6, we don't have an IPID in the header. But, there is an
extension
header for fragmentation, which provides an IPID. So, all we need to
do is
forcing the idle host to append this extension header for
fragmentation
each time he is sending a packet.

RFC 1981 says if an ICMPv6 Packet Too Big message is received, and
an MTU
smaller than the IPv6 minimum MTU is announced within, the receiving
host
should simply append a fragmentation header to each IPv6 packet on
the path.

So we can achieve the TCP Idle Scan in IPv6 by first sending a ping
with a
lot of data to the idle host. When the idle host replies, we tell it
in an
ICMPv6 packet Too Big message that the reply is to huge, we only
support a
maximum MTU of less than 1280 bytes, which is the IPv6 minimum MTU.
From
now on, all IPv6 packets being sent from the idle host to us will
have an
extension header for fragmentation, which contains an IPID.

Now we execute the same step for the path from the idle host to the
target. We spoof a ping from the target to the idle host, and after
the
idle host sent the answer, we send an ICMPv6 packet Too Big message
that
the MTU of the target is smaller than 1280 bytes, so from now on the
idle
host will also append the fragmentation header there.

Afterwards, the TCP Idle Scan in IPv6 works the same way as in IPv4
- just
that the IPID is not directly in the IPv6 header, but in the
extension
header for fragmentation.

Additional cool stuff: Compared to IPv4, the IPID is not used (and
incremented) for every IPv6 packet sent, but only for those which
use the
extension header for fragmentation. This means that our idle host
actually
does not need to be idle, it just shouldn't send fragmented
packages!


I hope my explanation is not too short and understandable :)


However, to show that it really works, I also tried to implement the
scan
in Nmap. To do so, I hacked idle_scan.cc, and used most of the stuff
which
was already there. What I had to add was the sending of the pings
and the
ICMPv6 packet too big messages for the initialization, and I changed
the
parts where the IPID is accessed, so that it works for IPv4 and
IPv6.

The usage is the same as using the scan in IPv4: -sI
<idlehost:probeport>
for the idlescan, plus add the -6 switch for IPv6.

I tested my patch with Windows 7 Ultimate, and Linux 3.8 (but there
is
does not work, the IPIDs are on a per-host-base).

The patch is not perfect yet. There are still some things which need
to be
improved, but I wanted to get a first feedback to know if i can
continue
working on it this way. Also, my C/C++ knowledge is not the best, so
let me
know if I made bigger mistakes.


Cheers,
Moe


PS: I'm on a conference from Wednesday to Friday, so I won't be able
to
read my mails.







_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]