Nmap Development mailing list archives
Re: Re: [Paper] New Idle Scan Techniques
From: Mathias Morbitzer <m.morbitzer () student ru nl>
Date: Mon, 27 May 2013 11:24:55 +0200 (CEST)
Hello, My name is Moe, I'm currently working on my thesis to finish my studies in computing security. In my work, I analyzed if the TCP Idle Scan can be ported from IPv4 to IPv6. To tell you the answer: With some modifications, yes, it can! An article and my final thesis with the details are planned to be published in summer/fall. But enough of the advertisement. After creating a proof of concept with scapy, I would like to implement the TCP Idle Scan in IPv6 in Nmap, but I have a hard time on deciding which implementation method to choose: Implementing it directly in the Nmap-core or creating a lua-script. For me, the more logical would be the core, but then I found this post from Henri in which he patched Nmap so that he can create the RST rate limit scan with NSE. (Which is somehow similar to the TCP Idle Scan in IPv6) Now, my question is: Which way of implementing my scan would you recommend? Regards, Moe --------------------------------------------------------------
2011/4/21 Fyodor <fyodor () insecure org>:David just sent me a link to a research paper which discloses a couple novel port scanning techinques which are related to the Nmap idle scan (-sI) in that they are side channel attacks which don't require sending packets to the target from your real IP address. One of the techniques is based on TCP RST rate limiting and the other uses SYN cache behavior. Here is the paper: http://www.usenix.org/events/sec10/tech/full_papers/Ensafi.pdfHello, This paper is really cool! I gave a try at implementing the first technique (TCP RST rate limiting) within NSE. I have patched NSE to do so, adding a "scanrule" and a -sK option to enable script port scanning. This patch eases the development of prototypes to evaluate such new scanning techniques and could also be interesting to develop port scanning modules relying upon application layers. Such modules could leverage the NSE libraries for the corresponding protocols (scanner-ftp-bounce.nse would be nice, instead of having it in the core for instance). Both the script and the patch are just PoC but I would be glad to improve them if someone like the idea. Feedback welcome! Regards. -- Henri Doreau | Greenbone Networks GmbH | http://www.greenbone.net Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460 Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Re: [Paper] New Idle Scan Techniques Mathias Morbitzer (May 27)
- Re: Re: [Paper] New Idle Scan Techniques David Fifield (May 27)
- Re: [Paper] New Idle Scan Techniques Mathias Morbitzer (May 28)
- [PATCH] TCP Idle Scan in IPv6 Mathias Morbitzer (Jun 03)
- Re: [PATCH] TCP Idle Scan in IPv6 Paulino Calderon (Jun 03)
- Re: [PATCH] TCP Idle Scan in IPv6 Luis MartinGarcia (Jun 03)
- Re: [PATCH] TCP Idle Scan in IPv6 Mathias Morbitzer (Jun 03)
- Re: [PATCH] TCP Idle Scan in IPv6 David Fifield (Jun 29)
- Re: [PATCH] TCP Idle Scan in IPv6 David Fifield (Jun 29)
- Re: Re: [Paper] New Idle Scan Techniques David Fifield (May 27)