Nmap Development mailing list archives
Re: [PATCH] TCP Idle Scan in IPv6
From: David Fifield <david () bamsoftware com>
Date: Sun, 3 Nov 2013 12:25:38 -0800
On Mon, Oct 14, 2013 at 06:00:10PM +0200, Mathias Morbitzer wrote:
On Sun, 13 Oct 2013 11:03:49 -0700, david <david () bamsoftware com> wrote:The attached patch should fix all the issues pointed out.I'm having some trouble getting results with this patch. I set up a test IPv6 network: abcd::1 GNU/Linux scanning host abcd::2 Windows 7 VM zombie abcd::3 GNU/Linux target Is there any more information I can send you?Are you testing on a physical network, or with VMs? I did most of my tests with VMs, and sometimes encountered a slightly different behavior when I used a physical host as idle host. Of course, it should work in both situations, but this could be the reason why it works for me, but not for you. And because it could be a TCP checksum problem: Which Linux version are you using on the scanning host and the target? ?
They were all VMs. The Linux version was 3.10. But I think I found the cause. I tried using these link-local addresses instead: fe80::abcd:1 GNU/Linux scanning host fe80::abcd:2 Windows 7 VM zombie fe80::abcd:3 GNU/Linux target Before using these addresses; I noticed that the scanning host was sending ICMPv6 Redirect messages. Now using these addresses, I get what looks like correct behavior: $ sudo ./nmap -Pn -6 --top-ports 10 -sI '[fe80::abcd:2]:22' fe80::abcd:3 Starting Nmap 6.41SVN ( http://nmap.org ) at 2013-10-26 23:07 PDT Idle scan using zombie fe80::abcd:2 (fe80::abcd:2:22); Class: Incrementing by 2 Nmap scan report for fe80::abcd:3 Host is up (0.021s latency). PORT STATE SERVICE 21/tcp closed|filtered ftp 22/tcp open ssh 23/tcp closed|filtered telnet 25/tcp closed|filtered smtp 80/tcp closed|filtered http 110/tcp closed|filtered pop3 139/tcp closed|filtered netbios-ssn 443/tcp closed|filtered https 445/tcp closed|filtered microsoft-ds 3389/tcp closed|filtered ms-wbt-server Trying to use the Linux host as a zombie to scan Windows doesn't work, as expected: $ sudo ./nmap -Pn -6 --top-ports 10 -sI '[fe80::abcd:3]:22' fe80::abcd:2 Starting Nmap 6.41SVN ( http://nmap.org ) at 2013-10-26 23:07 PDT Idle scan using zombie fe80::abcd:3 (fe80::abcd:3:22); Class: Incremental Even though your Zombie (fe80::abcd:3; fe80::abcd:3) appears to be vulnerable to IP ID sequence prediction (class: Incremental), our attempts have failed. This generally means that either the Zombie uses a separate IP ID base for each host (like Solaris), or because you cannot spoof IP packets (perhaps your ISP has enabled egress filtering to prevent IP spoofing), or maybe the target network recognizes the packet source as bogus and drops them QUITTING! I merged your patch in r32469. Thanks so much! David Fifield _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [PATCH] TCP Idle Scan in IPv6 david (Oct 13)
- Re: [PATCH] TCP Idle Scan in IPv6 Mathias Morbitzer (Oct 14)
- Re: [PATCH] TCP Idle Scan in IPv6 David Fifield (Nov 03)
- Re: [PATCH] TCP Idle Scan in IPv6 Mathias Morbitzer (Nov 23)
- Re: [PATCH] TCP Idle Scan in IPv6 David Fifield (Nov 03)
- Re: [PATCH] TCP Idle Scan in IPv6 Mathias Morbitzer (Oct 14)