GSoC RFC: Raw IPv6 Scans

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey everyone,

I've been digging into sending raw IPv6 packets to implement the various
Nmap raw scans (UDP, TCP SYN, FIN, ACK, etc.) as I think this will make
a good SoC project.  However..

According to UNIX Networking Programming Vol.1 2nd ed. and RFC 3542
(Advanced Sockets [API] for IPv6), we're unable to read or write
complete IPv6 packets (as opposed to using the IP_HDRINCL options for
IPv4).  Also, IPPROTO_RAW has no special meaning in IPv6, so the old
Nmap 2.54 patch for raw IPv6 scans [1] won't work (..or it shouldn't
work, but some systems probably implement IPPROTO_RAW for IPv6 as well).

Reading full IPv6 packets should be no problem as pcap should take care
of that, but I haven't resolved sending.

Here are options I see:

- - Build the full IPv6 packets as we wish, but send using libdnet.  I
think this will limit everything to Ethernet.

- - Build raw TCP/UDP packets, but let the kernel handle the IPv6 header.
~ This is the same as using raw IPv4 but without using the IP_HDRINCL
option.  This will be portable across network hardware, but won't allow
for complete control over the IPv6 header (i.e. spoofing).  We're
supposed to be able to use ancillary data and socket options to set
different header fields, but this seems to mean we can't have similar
build_* functions like in tcpip.cc which return whole packets (since the
header information is kept in the kernel and is manipulated on a socket).

I guess I'm seeing why IPv6 raw scans haven't been implemented before :)

I've written a test program for building raw TCP packets and sending
with socket(AF_INET6, SOCK_RAW, IPPROTO_TCP) over a IPv6 tunnel I've set
up, and it's been working great (I receive SYN/ACKs in response to my
SYNs and the kernel sends a RST back).  But again, I can't really
control the IPv6 header.

Any comments on which direction to go, or (especially) any ideas on a
better way to go about this, will be appreciated!

Thanks,
Kris Katterjohn

[1] http://nmap6.sourceforge.net/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBR+CTCf9K37xXYl36AQKC7w//cRCxILFiGpQ/cmqLUQeGKePn4CvdTMZv
o+xdY4NopMGD6Ywb1NdsMUwofKuh4KciwM0Cc3olfLEFLpCBLFDqeKoYc6bAOEL9
xEwHGxpyJ6jmY6UF0Ta/zL+azuWFJOx6ACIcs0e/9fKGy+Bv1cshBBnjINEHvdtS
bxc2SHLGoLhevPVEvHOkFqoCxPjYorJvp5CfKrdIR9ZrCQ/UpjL2MBqOZwX7EQR5
WD9yBqcUkP09HKrlCoZe73d65Hnzy/K1nFvbe8FpzPF43F/NsOoIpSV4K/oxISo5
02cJd5oC7QZeg4Z0eWJoSbLgzmHdahCoaOC9oDrE629PjYAcS7SOFvcXhjt1SUXU
/ODV76T5SFmdAlZuRSFnHWSzbF2anpgQ/T8oTQ+5tPHf19iNd3ZVIyXdK9GBoEHl
CZnAmzxiqnK1tvB0sSlgqaiBjONwARqMhdj/MzMmHSkL/W5tj3s1S1Lilln3YAMu
dQLhkqDiv1FSs5w0B+ft6mWg7fQcsyHZejiANDBJ4VTnB3Z5JQEJ2CHNzuHuW/0y
iR0kSnUZzPlLPzdirxvD9+P/RVcaqvbsVJJE+ckbDMRYVlpLWkT+ZTpi9bl/rFxF
BXr2kgsDLe59UWX9Fc8ArYLWiEGSmOrYJfQUu1buD2akvxYoK9JSzuzcy/CbgN23
dMy8H1uwX3I=
=NQG9
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org