Nmap Development mailing list archives
RE: -sO for IPv6
From: "Dario Ciccarone (dciccaro)" <dciccaro () cisco com>
Date: Wed, 15 Jun 2011 22:06:51 -0500
On Wed, Jun 15, 2011 at 05:40:27PM -0500, Dario Ciccarone (dciccaro) wrote:Hm. This may end in a "TL;DR" . . . I tried it against a couple devices - some observations: 1) For the actual extension headers (Hop-by-Hop (0), Routing (43), Fragment (44), Destination Options (60), No Next Header(59)) - we'rejust setting the NH field on the IPv6 header to each value.There's noattempt to actually build a valid extension header (well,it IS validfor 59 ;)). I think it would be more accurate if theextension headerwas properly formed. I can provide pcaps for each one of them, if so needed.This is the same situation as for IPv4. We only send proper payloads for a small number of protocols (ICMPv6, TCP, UDP, SCTP) and for the rest we send empty payloads. Please send your packet captures so we can make it better.
Attached. And indeed, as I know nmap does so (send proper payloads) for some protocols, doing the same for extension headers only seems logical to me. God forbid there was to be a queso6 doing that while nmap does not :^) <SNIP>
4) There will never be anything back for an IPv6 packetwith NH = 59 -unless being filtered, and filtering device sending backICMPv6(1,1).Should, IMHO, be assumed open - if you're doing IPv6, you *have* to support them all (0, 43, 44, 59 and 60) - so.I think then that open|filtered/no-response is appropriate.
Well, at the end of the day, it doesn't really matter, right? It's either because it's "open, but not getting anything back, as expected" or "being filtered by a device not sending us back ICMPv6(1,1)" - in any case, not like someone is going to be exploiting any vulnerability on proto 59 ;) About the attachment - all packets follow the same format: IPv6 header/extension header/ICMPv6 Echo Request. I only did Hop-by-Hop, Routing Header Type 0, Fragment Header and Destination Options. Routing Header Type 0 bounces only once, even if it has two nodes on the list - because my Linux machine doesn't do RH0. And the options are both Pad1 and PadN - could have been only 6*Pad1, but having both gives you flexibility :)
Attachment:
nmap_sample_ext_hdr.pcap
Description: nmap_sample_ext_hdr.pcap
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- -sO for IPv6 David Fifield (Jun 14)
- Re: -sO for IPv6 Daniel Miller (Jun 14)
- RE: -sO for IPv6 Dario Ciccarone (dciccaro) (Jun 15)
- Re: -sO for IPv6 David Fifield (Jun 15)
- RE: -sO for IPv6 Dario Ciccarone (dciccaro) (Jun 15)
- Re: -sO for IPv6 David Fifield (Jun 16)
- Re: -sO for IPv6 David Fifield (Jun 15)