Nmap Development mailing list archives
[RFC PATCH] Add --win option to set receive window size in TCP SYN Scan
From: Bernhard Thaler <bernhard.thaler () r-it at>
Date: Wed, 8 Jul 2015 16:07:44 +0200
Some IPS seem to detect and block nmap probes due to hard-coded TCP receive window size of 1024. Add --win option to set any receive window size 0 < win < 65535 to avoid being detected by hard-coded window size 1024. --- NmapOps.cc | 1 + NmapOps.h | 1 + nmap.cc | 7 +++++++ scan_engine_raw.cc | 8 ++++---- 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/NmapOps.cc b/NmapOps.cc index b6ff244..776cf74 100644 --- a/NmapOps.cc +++ b/NmapOps.cc @@ -342,6 +342,7 @@ void NmapOps::Initialize() { append_output = 0; memset(logfd, 0, sizeof(FILE *) * LOG_NUM_FILES); ttl = -1; + win = 0; badsum = 0; nmap_stdout = stdout; gettimeofday(&start_time, NULL); diff --git a/NmapOps.h b/NmapOps.h index 5728a50..dcbbda6 100644 --- a/NmapOps.h +++ b/NmapOps.h @@ -344,6 +344,7 @@ class NmapOps { FILE *logfd[LOG_NUM_FILES]; FILE *nmap_stdout; /* Nmap standard output */ int ttl; // Time to live + int win; // TCP Receive Window Size int badsum; char *datadir; /* A map from abstract data file names like "nmap-services" and "nmap-os-db" diff --git a/nmap.cc b/nmap.cc index 97f85f1..e4b3634 100644 --- a/nmap.cc +++ b/nmap.cc @@ -321,6 +321,7 @@ static void printusage(int rc) { " --data-length <num>: Append random data to sent packets\n" " --ip-options <options>: Send packets with specified ip options\n" " --ttl <val>: Set IP time-to-live field\n" + " --win <val>: Set TCP receive window size field\n" " --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address\n" " --badsum: Send packets with a bogus TCP/UDP/SCTP checksum\n" "OUTPUT:\n" @@ -632,6 +633,7 @@ void parse_options(int argc, char **argv) { {"thc", no_argument, 0, 0}, {"badsum", no_argument, 0, 0}, {"ttl", required_argument, 0, 0}, /* Time to live */ + {"win", required_argument, 0, 0}, /* TCP Receive Window Size */ {"traceroute", no_argument, 0, 0}, {"reason", no_argument, 0, 0}, {"allports", no_argument, 0, 0}, @@ -776,6 +778,11 @@ void parse_options(int argc, char **argv) { if (o.ttl < 0 || o.ttl > 255) { fatal("ttl option must be a number between 0 and 255 (inclusive)"); } + } else if (strcmp(long_options[option_index].name, "win") == 0) { + o.win = atoi(optarg); + if (o.win < 0 || o.win > 65535) { + fatal("win option must be a number between 0 and 65535 (inclusive)"); + } } else if (strcmp(long_options[option_index].name, "datadir") == 0) { o.datadir = strdup(optarg); } else if (strcmp(long_options[option_index].name, "servicedb") == 0) { diff --git a/scan_engine_raw.cc b/scan_engine_raw.cc index 54f258a..e1c8eda 100644 --- a/scan_engine_raw.cc +++ b/scan_engine_raw.cc @@ -1166,7 +1166,7 @@ static u8 *build_protoscan_packet(const struct sockaddr_storage *src, case IPPROTO_TCP: packet = build_tcp_raw(&src_in->sin_addr, &dst_in->sin_addr, o.ttl, ipid, IP_TOS_DEFAULT, false, o.ipoptions, o.ipoptionslen, - sport, DEFAULT_TCP_PROBE_PORT, get_random_u32(), get_random_u32(), 0, TH_ACK, 0, 0, NULL, 0, + sport, DEFAULT_TCP_PROBE_PORT, get_random_u32(), get_random_u32(), 0, TH_ACK, o.win, 0, NULL, 0, o.extra_payload, o.extra_payload_length, packetlen); break; case IPPROTO_ICMP: @@ -1215,7 +1215,7 @@ static u8 *build_protoscan_packet(const struct sockaddr_storage *src, case IPPROTO_TCP: packet = build_tcp_raw_ipv6(&src_in6->sin6_addr, &dst_in6->sin6_addr, 0, ipid, o.ttl, - sport, DEFAULT_TCP_PROBE_PORT, get_random_u32(), get_random_u32(), 0, TH_ACK, 0, 0, NULL, 0, + sport, DEFAULT_TCP_PROBE_PORT, get_random_u32(), get_random_u32(), 0, TH_ACK, o.win, 0, NULL, 0, o.extra_payload, o.extra_payload_length, packetlen); break; case IPPROTO_ICMPV6: @@ -1317,7 +1317,7 @@ UltraProbe *sendIPScanProbe(UltraScanInfo *USI, HostScanStats *hss, o.ttl, ipid, IP_TOS_DEFAULT, false, o.ipoptions, o.ipoptionslen, sport, pspec->pd.tcp.dport, - seq, ack, 0, pspec->pd.tcp.flags, 0, 0, + seq, ack, 0, pspec->pd.tcp.flags, o.win, 0, tcpops, tcpopslen, o.extra_payload, o.extra_payload_length, &packetlen); @@ -1339,7 +1339,7 @@ UltraProbe *sendIPScanProbe(UltraScanInfo *USI, HostScanStats *hss, sin6 = (struct sockaddr_in6 *) &source; packet = build_tcp_raw_ipv6(&sin6->sin6_addr, hss->target->v6hostip(), 0, 0, o.ttl, sport, pspec->pd.tcp.dport, - seq, ack, 0, pspec->pd.tcp.flags, 0, 0, + seq, ack, 0, pspec->pd.tcp.flags, o.win, 0, tcpops, tcpopslen, o.extra_payload, o.extra_payload_length, &packetlen); -- 1.7.10.4 _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan Bernhard Thaler (Jul 08)
- Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan David Fifield (Jul 08)
- Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan Daniel Miller (Jul 08)
- Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan Fyodor (Jul 12)
- Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan Jacek Wielemborek (Jul 13)
- Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan bernhard . thaler (Jul 13)
- Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan Daniel Miller (Jul 13)
- Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan Fyodor (Jul 19)
- Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan David Fifield (Jul 08)