Nmap Development mailing list archives
Re: Fragmentation scan
From: Andy Lutomirski <luto () myrealbox com>
Date: Wed, 06 Oct 2004 17:32:51 -0700
Fyodor wrote:
How 'bout just borrowing code from pcapsend.c -- we're already doing this anyway, and the logic shouldn't be different between Windows and other OS's. The nasty part will be ARP. If you're willing to wrap all recieve calls in something that can pick ARPs off the wire and to assure that we nmap doesn't block except when recieving then this can be solved nicely in one thread and our Windows problems get solved for free. Otherwise I'll code up an ARP reciever thread, hopefully in a non-Windows-specific manner, which I was planning to do anyway, and the whole mess could be transplanted into the core code.Recent (maybe 2.4+ -- anyone know exactly when it started?) Linux kernels seem to defragment the packets Nmap sends before sticking them on the wire :(. Sadly, raw sockets just don't seem to give Nmap the level of control it needs on many platforms (Solaris has issues with adding the don't fragment bit, and Windows SP2 cripples the whole interfaces). For this reason, and due to a desire for cool local network host enumeration techniques such as ARP scan, I think I want to move Nmap to writing raw ethernet frames in preference to raw sockets when dealing with ethernet-compatible devices (includes 802.11 wireless devices). That should resolve many of these problems, hopefully without adding a bunch of its own. I haven't researched the best way to move forward yet -- maybe libdnet, maybe write my own library. It needs to work well on Windows, since that is the platform with the most pathetic raw sockets implementation.
FWIW, it could be handy to support MAC spoofing of scans. I would have had a good white-hat use for that a couple days ago. An interesting black-hat use comes to mind as well, but I'll leave that to everyone's imagination.
So long as I'm asking, is STL allowed in the core yet? I was planning on using it in the Windows code (where STL is "always" present), but I'll avoid it in pcapsend if that might cause problems later.
--Andy ---------------------------------------------------------------------For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- Fragmentation scan Alan Jenkins (Oct 06)
- Re: Fragmentation scan Fyodor (Oct 06)
- Re: Fragmentation scan Andy Lutomirski (Oct 06)
- Re: Fragmentation scan Fyodor (Oct 06)
- Re: Fragmentation scan Alan Jenkins (Oct 07)
- Re: Fragmentation scan Andy Lutomirski (Oct 06)
- Re: Fragmentation scan Martin Mačok (Oct 07)
- <Possible follow-ups>
- Re: Fragmentation scan Alan Jenkins (Oct 17)
- Re: Fragmentation scan Fyodor (Oct 06)