Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: broken CRC

From: doug () hcsw org
Date: Sat, 10 Dec 2005 22:28:30 -0800
Hi Ed3f,

I remember reading your paper and enjoying it. It's a very clever technique.

I read in their changelog that time OpenBSD's pf addressed the issue a
couple releases ago but haven't heard anything about other systems. Have
any other firewalls done anything about it?

One potential problem with adding a global CRC option is that nmap doesn't use raw
sockets everywhere. For instance, FTP bounce scans, anything that uses
nsock (version detection, for example), etc. It might not always be obvious
what you can expect to use broken CRC or not.

I think it's a really cool concept though and I'd love nmap to be able to
make use of it. I think another TCP scan type alongside -sA (ACK scan -
also useful for firewall mapping) would be nice.

I'm not sure if it should be a goal for 4.00 or not - we're almost
running out of version numbers. :)

Doug Hoyte
(working on DNS performance right now)


On Sun, Dec 11, 2005 at 02:44:22AM +0100 or thereabouts, Ed3f wrote:


Near the end of 2002 I wrote something for Phrack* and discussed with Fyodor 
if those features could be included in nmap. That was not the right time, but 
things have changed, and recently Fyodor suggested me to post on this list to 
get ideas, and plan how to implement the broken CRC stuff.

* http://www.phrack.org/phrack/60/p60-0x0c.txt


There are a lot of ways and places to play with broken checksums, so I'm 
writing a couple of ideas...

1) BadTCP scan
2) BadUDP scan
3) add a TCP/UDP/ICMP/IP CRC test on OS detection engine
4) add a global CRC option that tells nmap to always use invalid CRC;
useful for host discovery, idle scan, spotting firewalls, and so on...


Some black boxes out there keep accepting broken CRC streams, or even better 
forward them via another TCP connection (proxy!), so we could be able to use 
nmap's version detection sending only invalid packets. Wunderbar!



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Previous By Date Next
Previous By Thread Next

Current thread: