Possible bug in IPv6 ND Ping Scan

["Luis MartinGarcia." <luis.mgarc () gmail com>]

Hi,

I was running Nmap 5.59BETA1 against an IPv6 target and I noticed that
the BPF filter for the ND ping scan may not work in all cases. I get
this (I've removed many useless output):

luis@Aberdeen:~$ sudo nmap -6 fe80::20c:29ff:fe80:2b01 -d

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-08-16 13:05 CEST
Initiating ND Ping Scan at 13:05
Scanning fe80::20c:29ff:fe80:2b01 [0 ports]
Packet capture filter (device vmnet1): icmp6 and ip6[6:1] = 58 and
ip6[40:1] = 136
Completed ND Ping Scan at 13:05, 0.05s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:05
Scanning fe80::20c:29ff:fe80:2b01 [1000 ports]
Packet capture filter (device vmnet1): dst host fe80::250:56ff:fec0:1
and (icmp or icmp6 or ((tcp or udp or sctp) and (src host
fe80::20c:29ff:fe80:2b01)))


The problem is in the BPF for the ND Ping scan. It currently uses "icmp6
and ip6[6:1] = 58 and ip6[40:1] = 136". I think it is wrong because it
assumes that no extension headers are present in the response. While
right now it is very very uncommon to find systems that use extension
headers, it may not be that uncommon in the future. In my opinion, the
BPF filter should be modified to work in all cases. I dunno what's the
best approach. A simple bpf="icmp6" might do the trick but I doubt that
libpcap traverses the whole list of extension headers to determine if
there is an ICMPv6 header in a captured packet. Maybe we should simply
use "ip6" and implement our own filter in the pcap handler. What do you
guys think?

Another thing: about the second filter, the one for the SYN scan, why is
there "icmp"? Do we expect any type of ICMPv4 response when we are
sending IPv6 datagrams?

Regards,

Luis MartinGarcia.


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/