Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[PATCHed] Send valid IP-in-IP header when using -sO

From: Kris Katterjohn <katterjohn () gmail com>
Date: Fri, 26 Jan 2007 22:43:49 -0600
The attached patch (/nmap SVN r4403) sends valid IPIP (IP-in-IP
encapsulation) headers when using -sO. Here's the SVN log:

------------------------------------------------------------------------
r4403 | kris | 2007-01-26 22:36:24 -0600 (Fri, 26 Jan 2007) | 1 line

Start sending a valid encapsulated header with IP-in-IP with -sO. Hosts
respond more when a valid header is sent. I kept getting open|filtered
for this, and now I get open. It's a lot like my IGMP patch from r4361
------------------------------------------------------------------------

I've tested it, and it seems to work great. If anybody else can test it
as well, that'd be awesome.

Thanks,
Kris Katterjohn

Index: CHANGELOG
===================================================================
--- CHANGELOG   (revision 4402)
+++ CHANGELOG   (revision 4403)
@@ -31,9 +31,10 @@
 
 o Applied a bunch of code cleanup patches from Kris Katterjohn.
 
-o Changed the IP protocol scan so that it sends actual IGMP headers when
-  scanning protocol number 2.  This makes it much more likely that the host
-  will respond, proving that it's "open".  [Kris]
+o Changed the IP protocol scan so that it sends actual IGMP and IPIP
+  (IP-in-IP encapsulation) headers when scanning protocol numbers 2
+  and 4, respectively.  This makes it much more likely that the host
+  will respond, proving that they're "open".  [Kris]
 
 o Fixed UDP scan so that it doesn't find it's own port when scanning
   localhost.  This was thought to be fixed in 4.10.  This also prevents a
Index: scan_engine.cc
===================================================================
--- scan_engine.cc      (revision 4402)
+++ scan_engine.cc      (revision 4403)
@@ -2203,6 +2203,23 @@
                               &packetlen);
 
        break;
+      case IPPROTO_IPIP:
+       /* This is our inner IP header, followed by data */
+       packet = build_ip_raw(&o.decoys[decoy], hss->target->v4hostip(),
+                             IPPROTO_TCP, /* fake it */
+                             o.ttl, ipid, IP_TOS_DEFAULT, false,
+                             o.ipoptions, o.ipoptionslen,
+                             o.extra_payload, o.extra_payload_length, 
+                             &packetlen);
+
+       /* This is our outer IP header, followed by the inner header above */
+       packet = build_ip_raw(&o.decoys[decoy], hss->target->v4hostip(),
+                             pspec->proto,
+                             o.ttl, ipid, IP_TOS_DEFAULT, false,
+                             o.ipoptions, o.ipoptionslen,
+                             (char *) packet, packetlen,
+                             &packetlen);
+       break;
       default:
        packet = build_ip_raw(&o.decoys[decoy], hss->target->v4hostip(),
                              pspec->proto,


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: