Nmap Development mailing list archives
Re: Feature request, out-of order fragmentation
From: "Luis MartinGarcia." <luis.mgarc () gmail com>
Date: Fri, 14 May 2010 12:05:00 +0200
Hi Sam, Nmap does not currently implement this. However, I have a private version of Nping that implements the fragmentation attacks described in [1]. There are some problems with it though. First of all, it contains code that belongs to the tool "Fragrouter", written by Dug Song. The code is licensed under the BSD license, but I'll have to check with Fyodor if we can distribute it legally. Another problem is that, not all operating systems allow user applications to generate this kind of traffic. My tests show that when issuing 8-byte IP fragments, the first three fragments (those that contain the TCP header) are just dropped by the Linux kernel and never put on the wire. I guess there are ways to tune the kernel to allow this kind of things, and other OS, probably *BSD, allow it too. There doesn't seem to be any problem with 24-byte fragments (as the full TCP header fits on the first fragment), so that may work for you. So, to sum up. I have code that does what you want, not for nmap but for nping. If you want to test it, I'd be glad to send you a copy of this "private" and unstable version of Nping. About Nmap, we'll have to wait for Fyodor's opinion on this. Regards, Luis MartinGarcia. [1] Ptacek, TH. and Newsham, TN. (1998). "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection". Secure Networks, Inc. [Available On-line] <http://cs.unc.edu/~fabian/course_papers/PtacekNewsham98.pdf> On 05/14/2010 11:44 AM, Sam Lavitt wrote:
I have recently found myself working with a commercial firewall and IDS that is unable to screen fragments that are delivered out-of-order when under load (normally it will store until the fragments unil the entire window arrives, but once it hits a preconfigured load percentage, default 0 (so always), it will forward all fragments as delivered after checking the individual fragment for payload.) As a result, I'd like to see a feature for fragmentation and transmission of packets out of order with a slight delay to make it more likely for out-of-order delivery, leaving the host to reassemble them. This would effectively evade the product. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Feature request, out-of order fragmentation Sam Lavitt (May 14)
- Re: Feature request, out-of order fragmentation Luis MartinGarcia. (May 14)