Nmap Development mailing list archives
[patch] *alpha* ip options support for nmap
From: majek04 <nmap () forest one pl>
Date: Fri, 23 Jun 2006 02:14:27 +0200
Hi guys, I created option for nmap, that adds alpha support for sending packet with some ip options set. http://ai.pjwstk.edu.pl/~majek/private/nmap/nmap-4.10-ipopts.diff If you don't know what ip options are, you could read rfc 791, page 16-23. The most common ip options are: Record Route Loose Source Route Strict Source Route Internet Timestamp ** Why RecordRoute can be useful? It can be treated as lightweight version of traceroute. Because it sends only one packet, but it has only 9 slots for hops that can be recorded. Record route packet can be also created using 'ping -R'. But ping gives only 8 cells for next hops. And nmap can give 9 :) (normal ping is filling first slot with local machine ip) Second advantage is that nmap can send packet with RR to some udp/tcp port. (normal ping is sending only icmp packet) So it's possible to gather information to hosts that have icmp blocked; Explanation stolen from hping3: "Record route. Includes the RECORD_ROUTE option in each packet sent and displays the route buffer of returned packets. Note that the IP header is only large enough for nine such routes. Many hosts ignore or discard this option. Also note that using hping you are able to use record route even if target host filter ICMP. Record route is an IP option, not an ICMP option, so you can use record route option even in TCP and UDP mode." Example: # ./nmap --ip-options "\x01\x07\x27\x04\x00*36" -P0 -sS -p80 somehost Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-06-23 01:46 Got ip options: RR{ [bad ptr=40] 172.20.1.2 148.81.175.158 148.81.255.218 195.187.244.193 195.85.195.19 212.76.35.110 <2 hops censored>} EOL Interesting ports on somehost: PORT STATE SERVICE 80/tcp open http ** Why Strict/Loose SourceRoute can be useful? "Source Routing is a technique whereby the sender of a packet can specify the route that a packet should take through the network." It can be very useful. Believe me :) Nowadays it's disabled by almost every modern router. Windows can have problems with this option: MS06-032/CVE-2006-2379. ** Why Timestamp can be useful? Well, you can get time since midnight from up to 9 nearest hops. If you forget what time is it, this option seems to give you answer. Okay, it also gives some other information. In my opinion the information how many timestamps were not recorded is very interesting. It can be read similar to TTL field. If admin is changing ttl value on his router, than from ip timestamp you can read how many true hops are to target. Basic example, just timestamp request: # ./nmap --ip-options "\x44\x24\x05\x00\x00*32" -P0 -sS -p80 somehost Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-06-23 01:29 Got ip options: TM{ [bad ptr=37][11 hosts not recorded] -2122870674 85126786 84580589 84580602 84580597 84580598 84580664 84580663} Interesting ports on somehost: PORT STATE SERVICE 80/tcp open http Ouch, eleven hosts were not recorded, 8 hops were recorded. More complicated example, timestamp and ip address: #./nmap --ip-options "\x44\x24\x05\x01\x00*32" -P0 -sS -p80 somehost Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-06-23 01:34 Got ip options: TM{ [bad ptr=37][15 hosts not recorded] 10.0.1.2@-2122839231 172.20.1.1@85441233 148.81.255.218@84895027 195.187.244.193@84895039} Interesting ports on somehost: PORT STATE SERVICE 80/tcp open http The most complicated. We want to know what time is on hops after 195.187.244.193 (Yep, it's possible): # ./nmap --ip-options "\x44\x24\x05\x03\195\187\244\193\x00*4\x00*24" -P0 -sS -p80 somehost Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-06-23 01:38 Got ip options: TM{ [bad ptr=37][6 hosts not recorded] 195.187.244.193@85119712 0.0.0.0@85398836 0.0.0.0@85119643 0.0.0.0@85398837} Interesting ports on somehost: PORT STATE SERVICE 80/tcp open http Or even more h4ckers way, using 127.0.0.1 :) : #./nmap --ip-options "\x44\x24\x05\x03\195\187\244\193\x00*4\127\0\0\1\x00*4\127\0\0\1\x00*4\127\0\0\1\x00*4" -P0 -sS -p80 somehost Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-06-23 01:39 Got ip options: TM{ [bad ptr=37][6 hosts not recorded] 195.187.244.193@85154879 127.0.0.1@85434008 127.0.0.1@85154809 127.0.0.1@85434008} Interesting ports on somehost: PORT STATE SERVICE 80/tcp open http You can also try to guess local ip of some router on the way. Let's try 192.168.0.1 # ./nmap --ip-options "\x44\x24\x05\x03\192\168\0\1\x00*4\x00*24" -P0 -sS -p80 somehost Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-06-23 01:43 Got ip options: TM{ [bad ptr=37][6 hosts not recorded] 192.168.0.1@85665985 0.0.0.0@85386743 0.0.0.0@85386743 0.0.0.0@85665985} Interesting ports on somehost: PORT STATE SERVICE 80/tcp open http Wow, someone responded for ip 192.168.0.1 :) ** Usage: parsing user input of --ip-options: user input | data sent in 'options' of ip packet // \x?? is parsed as hexadecimal "\xDE\xAD\xBE\xEF" -> [0xDE,0xAD,0xBE,0xEF] "\x01\x01\x01\x01" -> [0x01,0x01,0x01,0x01] "\x01*4" -> [0x01,0x01,0x01,0x01] // \??? is parsed as decimal "\127*4" -> [0x7F,0x7F,0x7F,0x7F] ** Warning #1: I changed implementation of core nmap functions build_tcp_raw, build_udp_raw, build_icmp_raw. I hope there aren't any bugs, but I can't guarantee anything. It's alpha version :) ** Warning #2: Watch out using tcpdump while playing with ip options. It sometimes have problems with counting proper tcp checksums, or it fails to recognize ip options properly. ** Warning #3: This patch is very basic. User output is very limited (ip options of received packet are printed only just after receiving this packet, in final version they should be printed in normal output, probably per every port (or host?)) ** Warning #4: Some providers block packets with ip options set. Marek Majkowski _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- [patch] *alpha* ip options support for nmap majek04 (Jun 22)