Re: [nmap-svn] r34903 - nmap

[Daniel Miller <bonsaiviking () gmail com>]

List,

Nmap's unique TCP signature has come up a couple times in the past week. On
Tuesday the 7th, a user on IRC wanted to know if Nmap could be
fingerprinted based on the static order of the first 28 TCP ports scanned.
In reply, I wrote a blog post [1] on how easy it is for IDS and related
systems to detect Nmap scans. On Wednesday, Bernhard Thaler sent a patch to
address one aspect of this (TCP Window size) [2].

The commit below does not change any functionality, but it makes it simple
for a user to compile in different TCP Options that are set for raw TCP SYN
packets, since this is another possible way that Nmap could be identified,
at least in combination with other features. It is also good programming
practice not to have "magic numbers," which extends to literal strings like
this scattered throughout the code.

Hope you found this interesting!
Dan

[1] http://blog.bonsaiviking.com/2015/07/they-see-me-scannin-they-hatin.html
[2] http://seclists.org/nmap-dev/2015/q3/52

On Mon, Jul 13, 2015 at 10:08 PM, <commit-mailer () nmap org> wrote:

> Author: dmiller
> Date: Tue Jul 14 03:08:17 2015
> New Revision: 34903
>
> Log:
> Consolidate TCP options for SYN into nmap.h
>
> Modified:
>    nmap/idle_scan.cc
>    nmap/nmap.h
>    nmap/scan_engine_raw.cc
>    nmap/traceroute.cc
>
> Modified: nmap/idle_scan.cc
>
> ==============================================================================
> --- nmap/idle_scan.cc   (original)
> +++ nmap/idle_scan.cc   Tue Jul 14 03:08:17 2015
> @@ -282,7 +282,7 @@
>                    o.ipoptions, o.ipoptionslen,
>                    base_port + tries, proxy->probe_port,
>                    seq_base + (packet_send_count++ * 500) + 1, ack, 0,
> TH_SYN | TH_ACK, 0, 0,
> -                  (u8 *) "\x02\x04\x05\xb4", 4,
> +                  (u8 *) TCP_SYN_PROBE_OPTIONS, TCP_SYN_PROBE_OPTIONS_LEN,
>                    NULL, 0);
>      else {
>        ipv6_packet = build_tcp_raw_ipv6(proxy->host.v6sourceip(),
> proxy->host.v6hostip(),
> @@ -290,7 +290,7 @@
>                          o.ttl,
>                          base_port + tries, proxy->probe_port,
>                          seq_base + (packet_send_count++ * 500) + 1, ack,
> 0, TH_SYN | TH_ACK, 0, 0,
> -                        (u8 *) "\x02\x04\x05\xb4", 4,
> +                        (u8 *) TCP_SYN_PROBE_OPTIONS,
> TCP_SYN_PROBE_OPTIONS_LEN,
>                          NULL, 0,
>                          &packetlen);
>        proxy->host.TargetSockAddr(&ss, &sslen);
> @@ -728,7 +728,7 @@
>                     o.ipoptions, o.ipoptionslen,
>                     o.magic_port + probes_sent + 1, proxy->probe_port,
>                     sequence_base + probes_sent + 1, ack, 0, TH_SYN |
> TH_ACK, 0, 0,
> -                   (u8 *) "\x02\x04\x05\xb4", 4,
> +                   (u8 *) TCP_SYN_PROBE_OPTIONS,
> TCP_SYN_PROBE_OPTIONS_LEN,
>                     NULL, 0);
>      else if (o.af() == AF_INET6) {
>        ipv6_packet = build_tcp_raw_ipv6(proxy->host.v6sourceip(),
> proxy->host.v6hostip(),
> @@ -736,7 +736,7 @@
>                                         o.ttl,
>                                         o.magic_port + probes_sent + 1,
> proxy->probe_port,
>                                         sequence_base + probes_sent + 1,
> ack, 0, TH_SYN | TH_ACK, 0, 0,
> -                                       (u8 *) "\x02\x04\x05\xb4", 4,
> +                                       (u8 *) TCP_SYN_PROBE_OPTIONS,
> TCP_SYN_PROBE_OPTIONS_LEN,
>                                         NULL, 0,
>                                         &packetlen);
>        res = send_ip_packet(proxy->rawsd, proxy->ethptr, &ss, ipv6_packet,
> packetlen);
> @@ -922,16 +922,16 @@
>                      o.ipoptions, o.ipoptionslen,
>                      o.magic_port, proxy->probe_port,
>                      sequence_base + probes_sent + 1, ack, 0, TH_SYN |
> TH_ACK, 0, 0,
> -                    (u8 *) "\x02\x04\x05\xb4",
> -                    4, NULL, 0);
> +                    (u8 *) TCP_SYN_PROBE_OPTIONS,
> +                    TCP_SYN_PROBE_OPTIONS_LEN, NULL, 0);
>        } else {
>          ipv6_packet = build_tcp_raw_ipv6(target->v6hostip(),
> proxy->host.v6hostip(),
>                                           0x00, 0x0000,
>                                           o.ttl,
>                                           o.magic_port, proxy->probe_port,
>                                           sequence_base + probes_sent + 1,
> ack, 0, TH_SYN | TH_ACK, 0, 0,
> -                                         (u8 *) "\x02\x04\x05\xb4",
> -                                         4, NULL, 0,
> +                                         (u8 *) TCP_SYN_PROBE_OPTIONS,
> +                                         TCP_SYN_PROBE_OPTIONS_LEN, NULL,
> 0,
>                                           &packetlen);
>          res = send_ip_packet(proxy->rawsd, proxy->ethptr, &ss,
> ipv6_packet, packetlen);
>          if (res == -1)
> @@ -1096,14 +1096,14 @@
>                     o.ttl, false,
>                     o.ipoptions, o.ipoptionslen,
>                     proxy->probe_port, ports[pr0be], seq, 0, 0, TH_SYN, 0,
> 0,
> -                   (u8 *) "\x02\x04\x05\xb4", 4,
> +                   (u8 *) TCP_SYN_PROBE_OPTIONS,
> TCP_SYN_PROBE_OPTIONS_LEN,
>                     o.extra_payload, o.extra_payload_length);
>     } else {
>          packet = build_tcp_raw_ipv6(proxy->host.v6hostip(),
> target->v6hostip(),
>                                      0x00, 0x0000,
>                                      o.ttl,
>                                      proxy->probe_port, ports[pr0be], seq,
> 0, 0, TH_SYN, 0, 0,
> -                                    (u8 *) "\x02\x04\x05\xb4", 4,
> +                                    (u8 *) TCP_SYN_PROBE_OPTIONS,
> TCP_SYN_PROBE_OPTIONS_LEN,
>                                      o.extra_payload,
> o.extra_payload_length,
>                                      &packetlen);
>          res = send_ip_packet(proxy->rawsd, eth.ethsd ? &eth : NULL, &ss,
> packet, packetlen);
>
> Modified: nmap/nmap.h
>
> ==============================================================================
> --- nmap/nmap.h (original)
> +++ nmap/nmap.h Tue Jul 14 03:08:17 2015
> @@ -232,6 +232,10 @@
>
>  #define MAXFALLBACKS 20 /* How many comma separated fallbacks are allowed
> in the service-probes file? */
>
> +/* TCP Options for TCP SYN probes: MSS 1460 */
> +#define TCP_SYN_PROBE_OPTIONS "\x02\x04\x05\xb4"
> +#define TCP_SYN_PROBE_OPTIONS_LEN (sizeof(TCP_SYN_PROBE_OPTIONS)-1)
> +
>  /* Default maximum send delay between probes to the same host */
>  #ifndef MAX_TCP_SCAN_DELAY
>  #define MAX_TCP_SCAN_DELAY 1000
>
> Modified: nmap/scan_engine_raw.cc
>
> ==============================================================================
> --- nmap/scan_engine_raw.cc     (original)
> +++ nmap/scan_engine_raw.cc     Tue Jul 14 03:08:17 2015
> @@ -1307,8 +1307,8 @@
>        seq = seq32_encode(USI, tryno, pingseq);
>
>      if (pspec->pd.tcp.flags & TH_SYN) {
> -      tcpops = (u8 *) "\x02\x04\x05\xb4";
> -      tcpopslen = 4;
> +      tcpops = (u8 *) TCP_SYN_PROBE_OPTIONS;
> +      tcpopslen = TCP_SYN_PROBE_OPTIONS_LEN;
>      }
>
>      if (hss->target->af() == AF_INET) {
>
> Modified: nmap/traceroute.cc
>
> ==============================================================================
> --- nmap/traceroute.cc  (original)
> +++ nmap/traceroute.cc  Tue Jul 14 03:08:17 2015
> @@ -745,8 +745,8 @@
>      ack = 0;
>      if ((pspec.pd.tcp.flags & TH_SYN) == TH_SYN) {
>        /* MSS 1460 bytes. */
> -      tcpopts = "\x02\x04\x05\xb4";
> -      tcpoptslen = 4;
> +      tcpopts = TCP_SYN_PROBE_OPTIONS;
> +      tcpoptslen = TCP_SYN_PROBE_OPTIONS_LEN;
>      } else if ((pspec.pd.tcp.flags & TH_ACK) == TH_ACK) {
>        ack = get_random_u32();
>      }
>
> _______________________________________________
> Sent through the svn mailing list
> http://nmap.org/mailman/listinfo/svn
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/