Nmap Development mailing list archives
Re: broken CRC
From: doug () hcsw org
Date: Sat, 10 Dec 2005 22:28:30 -0800
Hi Ed3f, I remember reading your paper and enjoying it. It's a very clever technique. I read in their changelog that time OpenBSD's pf addressed the issue a couple releases ago but haven't heard anything about other systems. Have any other firewalls done anything about it? One potential problem with adding a global CRC option is that nmap doesn't use raw sockets everywhere. For instance, FTP bounce scans, anything that uses nsock (version detection, for example), etc. It might not always be obvious what you can expect to use broken CRC or not. I think it's a really cool concept though and I'd love nmap to be able to make use of it. I think another TCP scan type alongside -sA (ACK scan - also useful for firewall mapping) would be nice. I'm not sure if it should be a goal for 4.00 or not - we're almost running out of version numbers. :) Doug Hoyte (working on DNS performance right now) On Sun, Dec 11, 2005 at 02:44:22AM +0100 or thereabouts, Ed3f wrote:
Near the end of 2002 I wrote something for Phrack* and discussed with Fyodor if those features could be included in nmap. That was not the right time, but things have changed, and recently Fyodor suggested me to post on this list to get ideas, and plan how to implement the broken CRC stuff. * http://www.phrack.org/phrack/60/p60-0x0c.txt There are a lot of ways and places to play with broken checksums, so I'm writing a couple of ideas... 1) BadTCP scan 2) BadUDP scan 3) add a TCP/UDP/ICMP/IP CRC test on OS detection engine 4) add a global CRC option that tells nmap to always use invalid CRC; useful for host discovery, idle scan, spotting firewalls, and so on... Some black boxes out there keep accepting broken CRC streams, or even better forward them via another TCP connection (proxy!), so we could be able to use nmap's version detection sending only invalid packets. Wunderbar! _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- broken CRC Ed3f (Dec 10)
- Re: broken CRC doug (Dec 10)
- Re: broken CRC Arturo 'Buanzo' Busleiman (Dec 11)
- <Possible follow-ups>
- Re: broken CRC Ed3f (Dec 11)
- Re: broken CRC doug (Dec 10)