[PATCH] improvements and a new(?) type of scan

[Phil <biondi () cartel-securite fr>]

Hi all!

I've implemented today a new type of scan and some improvements needed by
it, that could be used elsewhere. I attached a patch against nmap-2.54BETA32.

* The possibility to add comments to the scanned ports.
  The 4 final port categories (open, closed, filtered, unfiltered)
  are fine for statistics but it can be useful to know if a port
  is considered as filtered because of a timeout or if we
  got an ICMP dest unreachable.

This give the posibility to outputs like :
Port       State       Service
22/tcp     filtered    ssh
23/tcp     filtered    telnet                   Blocked (ICMP port-unreachable)
24/tcp     filtered    priv-mail                Blocked (ICMP port-unreachable)
25/tcp     filtered    smtp                     Blocked (ICMP port-unreachable)

(note that there is always the problem of the ICMP rate limitation :
port 22 is blocked, too)

* A magic IPID number :
  At the begining, nmap choose a random magic number. Each time a tcp
  or udp packet is sent, the IPID is initialised with the dest port number
  xor-ed with the magic number.
  Now we're able to find a probable related scan port with an icmp reply,
  even if the tcp citation has been mangled (see later for application).
  For tcp, The probability can reach 100% because we can then compare the
  sequence number (which we assume not mangled) of the citation with the
  one we know we have sent.

  One problem is that a victim can easily regroup scan sessions because
  dport ^ ipid = constant.

* A new(?) type of scan :
  Well, I've never seen any references to this technique nor have I heard
  anybody speaking about it, so I imagine I have the privilege to give it
  a name. I've chosen the TTL scan. (Please correct me if I'm wrong).

  This consists in sending packets as in a normal scan, but with a TTL
  small enough to only reach the gateway we want to firewalk.

  If this gateway send ICMP time exceeded, it usually do so only for
  packets that could have gone through. Else it drops the packet or send
  an ICMP dest unreach.

Here is an example of what we can get (I need 20 hops to reach google) :

./nmap -sS www.google.com  -t 19

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on www.google.com (216.239.51.101):
(The 1552 ports scanned but not shown below are in state: filtered)
Port       State       Service
80/tcp     UNfiltered  http
443/tcp    UNfiltered  https


Nmap run completed -- 1 IP address (1 host up) scanned in 256 seconds


  This also work well when a machine do DNAT. The ports that are really
  opened on this machine are shown as open, and the ports that are
  forwarded (DNATed) are shown as UNfiltered.
  Another interesting thing that I noticed for DNAT is that, at least for
  linux routers, ttl is decremented after the tcp header is mangled, but
  the icmp time exceed citation is not demangled. That means that there
  is an info leak about the final destination !
  That's why the magic ID is needed to find which port was scanned to
  get this ICMP.

We can get those types of results :

./nmap -sS  mymachine -p 22,23,666,667 -t 9

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on AMontsouris-103-1-1-86.abo.wanadoo.fr (193.252.8.86):
Port       State       Service
22/tcp     open        ssh
23/tcp     filtered    telnet
666/tcp    UNfiltered  unknown                  DNAT to 192.168.8.10:22
667/tcp    UNfiltered  unknown                  DNAT to 192.168.26.10:22


Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds

Well, this is an early patch. I never looked to the sources of nmap before
today. I tested it only on Linux. I may have broken some of the semantic :
if you don't use -t, nmap will work as usual, but I don't know the exact
result if you use it with -sU. I know it work quite well with -sS and -sA.

Please give me feedback.

ps: Fyodor, I wanted to break it into 3 functionnal patches, but, well,
    I'll do it only if you ask me to :)


-- 
Philippe Biondi <biondi@ cartel-securite.fr> Cartel Sécurité
Security Consultant/R&D                      http://www.cartel-securite.fr
Phone: +33 1 44 06 97 94                     Fax: +33 1 44 06 97 99
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2

Attachment: ttlscan.diff
Description:

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).