Nmap Development mailing list archives
Re: [nmap-svn] r21941 - nmap/todo
From: "Luis MartinGarcia." <luis.mgarc () gmail com>
Date: Mon, 24 Jan 2011 17:35:24 +0100
On 01/22/2011 05:58 PM, David wrote:
On Sat, Jan 22, 2011 at 01:16:17PM +0100, Luis MartinGarcia wrote:On Fri, Jan 21, 2011 at 10:58 PM, <commit-mailer () insecure org> wrote:Author: david Date: Fri Jan 21 13:58:55 2011 New Revision: 21941 Log: TODO: o [Nping] See whether --echo-client mode really requires root, and remove that restriction if not.Hi David, Nping does need root access for echo mode (for both client and server roles). This is because the protocol requires the client to provide the server with details about the packets that are going to be transmitted. When Nping is run in unprivileged mode, most of that information cannot be accessed as it is the OS who crafts network layer and transport layer headers. If you need a more elaborate answer, please let me know.What kind of information? What is the client unable to provide with, for example, nping --echo-client "public" --tcp-connect server What phase of the connection does it send this information in?
Hi David, The Nping echo server provides support for multiple concurrent users. Therefore, it needs to be able to determine, for every packet that is captured, which user it belongs to. Note that the source IP address is not enough since the echo service may be used by multiple users behind the same NAT or by a single users running multiple instances of the client. For this reason, the server has what I call the "packet matching engine". The way this works is the following: 1. The client connects to the server. 2. During the session establishment, the client sends all the information it has about the packets that it is about to send (this includes IP id, tos, TCP seq, ack, win, flags, ports...). The information is transmitted in the NEP_PACKET_SPEC message. 3. The server receives the specs and stores them in its list of currently connected clients. 4. Every time a packet is captured, the server attempts to match the packet against the list of client specs. Since some of the fields may change in transit, the matching is done using a "scoring" system. For every field that matches, a client receives a number of points. At the end, the client that has the higher score, gets the "echoed packet" (providing it has exceeded a minimum score). This mechanism achieves the following: * If the server receives packets that have nothing to do with the echo mode, those packets will not reach the minimum score, and therefore, they won't get echoed to any echo user. This means that a malicious user cannot use the echo server to steal server's traffic (this is very important in terms of security). * A single user can run multiple instances of the Nping echo client, and the server manages to differentiate all packets and deliver them to the appropriate process. * Multiple users using the same NAT can also use the service successfully. * It works when you want to test if packets with a spoofed IP address reach the server. * It tolerates a certain amount of field value modifications performed by middleboxes. So, why does the echo client require root access? Because it needs to know the IP IDs, windows sizes, seq and ack numbers, etc. Otherwise, the server would not have enough information for the the packet matching engine. It is true that we could relax these constraints but I don't think its worth it, as it would reduce the security of the system and limit the server's multi-user capabilities. Regards, Luis MartinGarcia. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [nmap-svn] r21941 - nmap/todo Luis MartinGarcia (Jan 22)
- Re: [nmap-svn] r21941 - nmap/todo David (Jan 22)
- Re: [nmap-svn] r21941 - nmap/todo Luis MartinGarcia. (Jan 24)
- Re: [nmap-svn] r21941 - nmap/todo David (Jan 24)
- Re: [nmap-svn] r21941 - nmap/todo Luis MartinGarcia. (Jan 24)
- Re: [nmap-svn] r21941 - nmap/todo David (Jan 22)