Re: [nmap-svn] r21941 - nmap/todo

["Luis MartinGarcia." <luis.mgarc () gmail com>]

On 01/22/2011 05:58 PM, David wrote:
> On Sat, Jan 22, 2011 at 01:16:17PM +0100, Luis MartinGarcia wrote:
> > On Fri, Jan 21, 2011 at 10:58 PM,  <commit-mailer () insecure org> wrote:
> > > Author: david
> > > Date: Fri Jan 21 13:58:55 2011
> > > New Revision: 21941
> > >
> > > Log:
> > > TODO:
> > > o [Nping] See whether --echo-client mode really requires root, and
> > >  remove that restriction if not.
> > Hi David,
> >
> > Nping does need root access for echo mode (for both client and server
> > roles). This is because the protocol requires the client to provide
> > the server with details about the packets that are going to be
> > transmitted. When Nping is run in unprivileged mode, most of that
> > information cannot be accessed as it is the OS who crafts network
> > layer and transport layer headers.
> >
> > If you need a more elaborate answer, please let me know.
> What kind of information? What is the client unable to provide with, for
> example,
>       nping --echo-client "public" --tcp-connect server
> What phase of the connection does it send this information in?

Hi David,

The Nping echo server provides support for multiple concurrent users.
Therefore, it needs to be able to determine, for every packet that is
captured, which user it belongs to. Note that the source IP address is
not enough since the echo service may be used by multiple users behind
the same NAT or by a single users running multiple instances of the
client. For this reason, the server has what I call the "packet matching
engine". The way this works is the following:

1. The client connects to the server.

2. During the session establishment, the client sends all the
information it has about the packets that it is about to send (this
includes IP id, tos, TCP seq, ack, win, flags, ports...). The
information is transmitted in the NEP_PACKET_SPEC message.

3. The server receives the specs and stores them in its list of
currently connected clients.

4. Every time a packet is captured, the server attempts to match the
packet against the list of client specs. Since some of the fields may
change in transit, the matching is done using a "scoring" system. For
every field that matches, a client receives a number of points. At the
end, the client that has the higher score, gets the "echoed packet"
(providing it has exceeded a minimum score).

This mechanism achieves the following:

* If the server receives packets that have nothing to do with the echo
mode, those packets will not reach the minimum score, and therefore,
they won't get echoed to any echo user. This means that a malicious user
cannot use the echo server to steal server's traffic (this is very
important in terms of security).

* A single user can run multiple instances of the Nping echo client, and
the server manages to differentiate all packets and deliver them to the
appropriate process.

* Multiple users using the same NAT can also use the service successfully.

* It works when you want to test if packets with a spoofed IP address
reach the server.

* It tolerates a certain amount of field value modifications performed
by middleboxes.


So, why does the echo client require root access? Because it needs to
know the IP IDs, windows sizes, seq and ack numbers, etc. Otherwise, the
server would not have enough information for the the packet matching
engine. It is true that we could relax these constraints but I don't
think its worth it, as it would reduce the security of the system and
limit the server's multi-user capabilities.

Regards,

Luis MartinGarcia.








_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/