Nmap Development mailing list archives

Re: Idlescanning when a zombie increases IPID by 2 - patch

From: Fyodor <fyodor () insecure org>
Date: Tue, 21 Aug 2007 02:23:44 -0700

On Mon, Jul 16, 2007 at 02:37:36PM +0100, Jirka Vejrazka wrote:


 Lately, my friends and myself found a significant number of network
devices that increase IPID by 2 for every packet.


Hi Jirka.  What sort of devices are these?  It would be very
interesting if you could do some -iR scanning or other sort of
sampling to determine what percentage of machines fall into this
class.

 I modified NMAP 4.20 (stable) to support these zombies correctly,
diff attached. Unfortunately, I'm not a C programmer (in fact, I'm not
a programmer at all) so this code is likely to have bugs as it was a
quick-n-dirty solution I've created quicky after seeing NMAP's code
for the first time. I can especially see problems around OS detection
when this modification is applied - I did not pay any attention to
this area. I only tested the idlescanning and it was working fine.

 Anyway, sharing the diff just in case somebody finds it useful and
can use it to produce a production-quality patch :)


Hm ... you don't show a lot of confidence in your patch here :).  I
like that it is short, but I'm concerned about false positives.  This
patch appears to count any machine as an IPID_SEQ_INCR_DOUBLE if any
of the increments are 2.  But even a normal IPID_SEQ_INCR will look
like that if any single packet is sent by the machine between our
probes.  So I think it should probably test all of probes increments
to make sure they are all factors of 2.  Also, this patch looks like
it only handles 1st generation OS detection, whereas we would need a
patch which handles 2nd generation too.

If you can send an updated patch against Nmanp 4.22SOC5, and test it
thoroughly such that you have more confidence that it won't cause
problems, please do!

And in any case, thanks for the contribution.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Idlescanning when a zombie increases IPID by 2 - patch Jirka Vejrazka (Jul 16)
- Re: Idlescanning when a zombie increases IPID by 2 - patch Fyodor (Aug 21)
- Presentation of UmitMapper João Paulo de Souza Medeiros (Aug 22)
  - Re: Presentation of UmitMapper DePriest, Jason R. (Aug 22)
  - Re: Presentation of UmitMapper Kris Katterjohn (Aug 22)
  - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Fwd: Presentation of UmitMapper João Medeiros (Aug 23)
  - Re: Presentation of UmitMapper MadHat Unspecific (Aug 24)
    - Re: Presentation of UmitMapper João Paulo de Souza Medeiros (Aug 24)