Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan

[bernhard.thaler () r-it at]

Hi Fyodor,

I sticked to nping which has a --win command line option, so I thought for
consistency it would make sense for nmap as well.

I would even say for evasion we need to think about TCP options as
well...Nmap currently sets only MSS option, but not others (e.g. Windows 7
sets mss,nop,ws,nop,nop,sack as TCP options).

A "sane" default may be to choose settings according to the platform Nmap
is running on...eg. when run on a Windows machine using Windows default
values for TTL/HLIM, window size and TCP options and when running on a
Linux  machine using current settings for these fields as well. If Nmap
probes would be similar to other TCP SYN packets originating from the box
performing the scan (e.g. start of connection for normal web traffic) this
would most likely be enough to avoid detection.

I fear there is no smart way to really check if Nmap probes are detected
and blocked due to TTL/HLIM, window size or TCP option values. But if
people manually detect this is/may be the reason for blocking they may want
to have a command-line option to set these values according to their needs
and manually evade detection. It may not be flags most people will commonly
use though.

I will have a look into this...but I think both will be needed, a default
that fits most cases and command-line options to override the default when
needed.

Regards,
Bernhard



----------------------------------------
Raiffeisen Informatik GmbH, Firmensitz Wien, Firmenbuchnr. 88239p,
Handelsgericht Wien, DVR 0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail
dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche
Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden.
Correspondence with above mentioned sender via e-mail is only for
information purposes. This medium may not be used for exchange of
legally-binding communications.
----------------------------------------


Von:    fyodor () nmap org
An:     bernhard.thaler () r-it at,
Kopie:  dev () nmap org
Datum:  13.07.2015 11:49
Betreff:        Re: [RFC PATCH] Add --win option to set receive window size in
            TCP SYN Scan



On Wed, Jul 8, 2015 at 7:07 AM, Bernhard Thaler <bernhard.thaler () r-it at>
wrote:
      Some IPS seem to detect and block nmap probes due to hard-coded TCP
      receive
      window size of 1024.

      Add --win option to set any receive window size 0 < win < 65535 to
      avoid being
      detected by hard-coded window size 1024.

Hi Bernhard, and thanks for the patch!  I feel like Nmap has too many
command line options already, so the bar to adding new ones is pretty high
in terms of how common and essential the option is for users.  In this
case, perhaps there is another solution.  If there is a more common window
size, perhaps we could switch to using that by default.  Or maybe Nmap
could choose from a number of common window sizes at startup, though that
means a bit more complexity and code to maintain than the
choosing-another-static-value approach.  Also, we shouldn't change the
packets sent by OS detection since the window size of those may affect the
responses.

Solutions which are "smart" enough to solve problems without requiring the
user to specify some obscure option are likely to improve the scanning
experience for far more people.  I'm glad you sent the patch though because
it does make it easier for people who do want to change the Window size to
apply your patch and do so.

Cheers,
Fyodor

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/