Nmap Development mailing list archives
Re: [nmap-svn] r34903 - nmap
From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 13 Jul 2015 22:19:47 -0500
List, Nmap's unique TCP signature has come up a couple times in the past week. On Tuesday the 7th, a user on IRC wanted to know if Nmap could be fingerprinted based on the static order of the first 28 TCP ports scanned. In reply, I wrote a blog post [1] on how easy it is for IDS and related systems to detect Nmap scans. On Wednesday, Bernhard Thaler sent a patch to address one aspect of this (TCP Window size) [2]. The commit below does not change any functionality, but it makes it simple for a user to compile in different TCP Options that are set for raw TCP SYN packets, since this is another possible way that Nmap could be identified, at least in combination with other features. It is also good programming practice not to have "magic numbers," which extends to literal strings like this scattered throughout the code. Hope you found this interesting! Dan [1] http://blog.bonsaiviking.com/2015/07/they-see-me-scannin-they-hatin.html [2] http://seclists.org/nmap-dev/2015/q3/52 On Mon, Jul 13, 2015 at 10:08 PM, <commit-mailer () nmap org> wrote:
Author: dmiller Date: Tue Jul 14 03:08:17 2015 New Revision: 34903 Log: Consolidate TCP options for SYN into nmap.h Modified: nmap/idle_scan.cc nmap/nmap.h nmap/scan_engine_raw.cc nmap/traceroute.cc Modified: nmap/idle_scan.cc ============================================================================== --- nmap/idle_scan.cc (original) +++ nmap/idle_scan.cc Tue Jul 14 03:08:17 2015 @@ -282,7 +282,7 @@ o.ipoptions, o.ipoptionslen, base_port + tries, proxy->probe_port, seq_base + (packet_send_count++ * 500) + 1, ack, 0, TH_SYN | TH_ACK, 0, 0, - (u8 *) "\x02\x04\x05\xb4", 4, + (u8 *) TCP_SYN_PROBE_OPTIONS, TCP_SYN_PROBE_OPTIONS_LEN, NULL, 0); else { ipv6_packet = build_tcp_raw_ipv6(proxy->host.v6sourceip(), proxy->host.v6hostip(), @@ -290,7 +290,7 @@ o.ttl, base_port + tries, proxy->probe_port, seq_base + (packet_send_count++ * 500) + 1, ack, 0, TH_SYN | TH_ACK, 0, 0, - (u8 *) "\x02\x04\x05\xb4", 4, + (u8 *) TCP_SYN_PROBE_OPTIONS, TCP_SYN_PROBE_OPTIONS_LEN, NULL, 0, &packetlen); proxy->host.TargetSockAddr(&ss, &sslen); @@ -728,7 +728,7 @@ o.ipoptions, o.ipoptionslen, o.magic_port + probes_sent + 1, proxy->probe_port, sequence_base + probes_sent + 1, ack, 0, TH_SYN | TH_ACK, 0, 0, - (u8 *) "\x02\x04\x05\xb4", 4, + (u8 *) TCP_SYN_PROBE_OPTIONS, TCP_SYN_PROBE_OPTIONS_LEN, NULL, 0); else if (o.af() == AF_INET6) { ipv6_packet = build_tcp_raw_ipv6(proxy->host.v6sourceip(), proxy->host.v6hostip(), @@ -736,7 +736,7 @@ o.ttl, o.magic_port + probes_sent + 1, proxy->probe_port, sequence_base + probes_sent + 1, ack, 0, TH_SYN | TH_ACK, 0, 0, - (u8 *) "\x02\x04\x05\xb4", 4, + (u8 *) TCP_SYN_PROBE_OPTIONS, TCP_SYN_PROBE_OPTIONS_LEN, NULL, 0, &packetlen); res = send_ip_packet(proxy->rawsd, proxy->ethptr, &ss, ipv6_packet, packetlen); @@ -922,16 +922,16 @@ o.ipoptions, o.ipoptionslen, o.magic_port, proxy->probe_port, sequence_base + probes_sent + 1, ack, 0, TH_SYN | TH_ACK, 0, 0, - (u8 *) "\x02\x04\x05\xb4", - 4, NULL, 0); + (u8 *) TCP_SYN_PROBE_OPTIONS, + TCP_SYN_PROBE_OPTIONS_LEN, NULL, 0); } else { ipv6_packet = build_tcp_raw_ipv6(target->v6hostip(), proxy->host.v6hostip(), 0x00, 0x0000, o.ttl, o.magic_port, proxy->probe_port, sequence_base + probes_sent + 1, ack, 0, TH_SYN | TH_ACK, 0, 0, - (u8 *) "\x02\x04\x05\xb4", - 4, NULL, 0, + (u8 *) TCP_SYN_PROBE_OPTIONS, + TCP_SYN_PROBE_OPTIONS_LEN, NULL, 0, &packetlen); res = send_ip_packet(proxy->rawsd, proxy->ethptr, &ss, ipv6_packet, packetlen); if (res == -1) @@ -1096,14 +1096,14 @@ o.ttl, false, o.ipoptions, o.ipoptionslen, proxy->probe_port, ports[pr0be], seq, 0, 0, TH_SYN, 0, 0, - (u8 *) "\x02\x04\x05\xb4", 4, + (u8 *) TCP_SYN_PROBE_OPTIONS, TCP_SYN_PROBE_OPTIONS_LEN, o.extra_payload, o.extra_payload_length); } else { packet = build_tcp_raw_ipv6(proxy->host.v6hostip(), target->v6hostip(), 0x00, 0x0000, o.ttl, proxy->probe_port, ports[pr0be], seq, 0, 0, TH_SYN, 0, 0, - (u8 *) "\x02\x04\x05\xb4", 4, + (u8 *) TCP_SYN_PROBE_OPTIONS, TCP_SYN_PROBE_OPTIONS_LEN, o.extra_payload, o.extra_payload_length, &packetlen); res = send_ip_packet(proxy->rawsd, eth.ethsd ? ð : NULL, &ss, packet, packetlen); Modified: nmap/nmap.h ============================================================================== --- nmap/nmap.h (original) +++ nmap/nmap.h Tue Jul 14 03:08:17 2015 @@ -232,6 +232,10 @@ #define MAXFALLBACKS 20 /* How many comma separated fallbacks are allowed in the service-probes file? */ +/* TCP Options for TCP SYN probes: MSS 1460 */ +#define TCP_SYN_PROBE_OPTIONS "\x02\x04\x05\xb4" +#define TCP_SYN_PROBE_OPTIONS_LEN (sizeof(TCP_SYN_PROBE_OPTIONS)-1) + /* Default maximum send delay between probes to the same host */ #ifndef MAX_TCP_SCAN_DELAY #define MAX_TCP_SCAN_DELAY 1000 Modified: nmap/scan_engine_raw.cc ============================================================================== --- nmap/scan_engine_raw.cc (original) +++ nmap/scan_engine_raw.cc Tue Jul 14 03:08:17 2015 @@ -1307,8 +1307,8 @@ seq = seq32_encode(USI, tryno, pingseq); if (pspec->pd.tcp.flags & TH_SYN) { - tcpops = (u8 *) "\x02\x04\x05\xb4"; - tcpopslen = 4; + tcpops = (u8 *) TCP_SYN_PROBE_OPTIONS; + tcpopslen = TCP_SYN_PROBE_OPTIONS_LEN; } if (hss->target->af() == AF_INET) { Modified: nmap/traceroute.cc ============================================================================== --- nmap/traceroute.cc (original) +++ nmap/traceroute.cc Tue Jul 14 03:08:17 2015 @@ -745,8 +745,8 @@ ack = 0; if ((pspec.pd.tcp.flags & TH_SYN) == TH_SYN) { /* MSS 1460 bytes. */ - tcpopts = "\x02\x04\x05\xb4"; - tcpoptslen = 4; + tcpopts = TCP_SYN_PROBE_OPTIONS; + tcpoptslen = TCP_SYN_PROBE_OPTIONS_LEN; } else if ((pspec.pd.tcp.flags & TH_ACK) == TH_ACK) { ack = get_random_u32(); } _______________________________________________ Sent through the svn mailing list http://nmap.org/mailman/listinfo/svn
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [nmap-svn] r34903 - nmap Daniel Miller (Jul 13)
- IDS evasion through --tcp-options (Was: Re: [nmap-svn] r34903 - nmap) Jacek Wielemborek (Jul 14)