Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Report Bug: IPID_SEQ_RD
From: Daniel Miller <bonsaiviking () gmail com>
Date: Sat, 15 Mar 2014 07:37:01 -0500

Lior,

Thanks for this great bug report. I confirmed the behavior: that every host
was being reported as having an IPID sequence of all-zeros. I patched
osscan2.cc in r32783, which should fix the problem:


Fix IPID sequence detection in the case of Random

Reported by Lior Levinsky. As part of r32469, which added IPv6 IPID
sequnce detection, the logic to detect all-zero IPID sequences was
split. get_diffs was returning IPID_SEQ_UNKNOWN, IPID_SEQ_RD, or
1 for all-zeros, but the get_ipid_sequence_* functions were treating
every non-zero return value as indicating all-zeros, which meant that
IPID sequence detection was broken.


Please let us know if you run into any more problems!

Dan



On Fri, Mar 14, 2014 at 6:51 AM, Lior Levinsky
<levinskylior () googlemail com>wrote:

The function get_diffs return normally if all of ip ids was zero ,  (0 -
one or more ip->ip_id != 0  /  1 - All of the ip->ip_id == 0
but there are 2 specail cases :
1. If numSamples < 2 then return IPID_SEQ_UNKNOWN  (0)
2. if numSamples > 2 && one of the diffs gt 20000 then return IPID_SEQ_RD
(4)

And this function get_diffs return value (allipideqz)
uses in functions get_ipid_sequence_32 / get_ipid_sequence_16
as paramter to function  identify_sequence

And this function identify_sequence if alipideqz != 0 return IPID_SEQ_ZERO

This mean (if I don't miss something) that in case get_diffs return
IPID_SEQ_RD
we will definet the class as IPID_SEQ_ZERO and not IPID_SEQ_RD

About the IPID_SEQ_UNKNOWN that is zero , and also the value zero is
meaning one of the ip_id is not zero , I am not sure the full meaning.

Am I miss something  ?

Here cut&paste of the code : .

int get_diffs(u32 *ipid_diffs, int numSamples, u32 *ipids, int islocalhost)
{
  int i;
  int allipideqz = 1;

  if (numSamples < 2)
    return IPID_SEQ_UNKNOWN;

  for (i = 1; i < numSamples; i++) {
    if (ipids[i - 1] != 0 || ipids[i] != 0)
      allipideqz = 0; /* All IP.ID values do *NOT* equal zero */

    ipid_diffs[i - 1] = ipids[i] - ipids[i - 1];

    /* Random */
    if (numSamples > 2 && ipid_diffs[i - 1] > 20000)
      return IPID_SEQ_RD;
  }

  return allipideqz;

}

/* Indentify the ipid sequence for 32-bit IPID values (IPv6) */
int get_ipid_sequence_32(int numSamples, u32 *ipids, int islocalhost) {
  int allipideqz=1;
  u32 ipid_diffs[32];
  assert(numSamples < (int) (sizeof(ipid_diffs) / 2));
  allipideqz = get_diffs(ipid_diffs, numSamples, ipids, islocalhost);
  return identify_sequence(numSamples, ipid_diffs, islocalhost,
allipideqz);
}

/* Indentify the ipid sequence for 16-bit IPID values (IPv4) */
int get_ipid_sequence_16(int numSamples, u32 *ipids, int islocalhost) {
  int i;
  int allipideqz=1;
  u32 ipid_diffs[32];
  assert(numSamples < (int) (sizeof(ipid_diffs) / 2));
  allipideqz = get_diffs(ipid_diffs, numSamples, ipids, islocalhost);
  /* AND with 0xffff so that in case the 16 bit counter was
   * flipped over we still have a continuous sequence */
  for (i = 0; i < numSamples; i++) {
    ipid_diffs[i] = ipid_diffs[i] & 0xffff;
  }
  return identify_sequence(numSamples, ipid_diffs, islocalhost,
allipideqz);
}

int identify_sequence(int numSamples, u32 *ipid_diffs, int islocalhost, int
allipideqz) {
  int i, j, k, l;

  /* ZERO */
  if (allipideqz)
    return IPID_SEQ_ZERO;
....
}


--
Best Regards,

Lior Levinsky - Software & Consulting Services
Mobile   : +972-50-7370190
email     : levinskylior () gmail com
Address :  P.O. 647 Rishon-Letzion , Israel 75106
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]