[updated patch] Re: fragment scan got broken between 3.50 and 3.75

[Martin Mačok <martin.macok () underground cz>]

On Wed, Dec 29, 2004 at 11:26:42PM +0100, Martin Mačok wrote:

> The attached patch should bring fragmented scans back to life.
> Review and test it, please. Does it work on Windows too? I have
> tried it on Linux only.

Since I didn't like my previous code (it made a blind assumption over
the packet size which could be changed in future) I have updated the
patch so I can sleep better now.

This updated patch contains universal packet fragmentator which could
be utilized to make even tinier (but still legal) fragments. Now, when
nmap is invoked with two or more "-f" (or "-ff"), it cuts the TCP
header after 8th byte (so it takes 3 fragments to deliver single TCP
probe). The old behaviour (single "-f", cutting the data after 16th
byte) has not changed.

Review and test it, please. I'm specially interested in testing it on
systems other than Linux 2.4 (use tcpdump to see the fragments). By
the way, do you get different results when using "-f" and "-ff"
against some systems or through some firewalls?

> > P.S. Make sure you have NOT loaded ip_conntrack module when trying
> > fragments on Linux since it reassembles them before leaving out the
> > box (maybe it should be mentioned in the manpage too).

P.S.2 Fyodor, do you maintain the manpage in some source code format
or should I be patching nmap.1 file directly?

Martin Mačok
IT Security Consultant

Attachment: nmap-3.78-fragment.patch
Description:

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org