Nmap Development mailing list archives
Possible bug in IPv6 ND Ping Scan
From: "Luis MartinGarcia." <luis.mgarc () gmail com>
Date: Tue, 16 Aug 2011 13:16:34 +0200
Hi, I was running Nmap 5.59BETA1 against an IPv6 target and I noticed that the BPF filter for the ND ping scan may not work in all cases. I get this (I've removed many useless output): luis@Aberdeen:~$ sudo nmap -6 fe80::20c:29ff:fe80:2b01 -d Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-08-16 13:05 CEST Initiating ND Ping Scan at 13:05 Scanning fe80::20c:29ff:fe80:2b01 [0 ports] Packet capture filter (device vmnet1): icmp6 and ip6[6:1] = 58 and ip6[40:1] = 136 Completed ND Ping Scan at 13:05, 0.05s elapsed (1 total hosts) Initiating SYN Stealth Scan at 13:05 Scanning fe80::20c:29ff:fe80:2b01 [1000 ports] Packet capture filter (device vmnet1): dst host fe80::250:56ff:fec0:1 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host fe80::20c:29ff:fe80:2b01))) The problem is in the BPF for the ND Ping scan. It currently uses "icmp6 and ip6[6:1] = 58 and ip6[40:1] = 136". I think it is wrong because it assumes that no extension headers are present in the response. While right now it is very very uncommon to find systems that use extension headers, it may not be that uncommon in the future. In my opinion, the BPF filter should be modified to work in all cases. I dunno what's the best approach. A simple bpf="icmp6" might do the trick but I doubt that libpcap traverses the whole list of extension headers to determine if there is an ICMPv6 header in a captured packet. Maybe we should simply use "ip6" and implement our own filter in the pcap handler. What do you guys think? Another thing: about the second filter, the one for the SYN scan, why is there "icmp"? Do we expect any type of ICMPv4 response when we are sending IPv6 datagrams? Regards, Luis MartinGarcia. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Possible bug in IPv6 ND Ping Scan Luis MartinGarcia. (Aug 16)
- Re: Possible bug in IPv6 ND Ping Scan Xu Weilin (Aug 16)