Re: Bug regarding IPv6 scanning

[David Fifield <david () bamsoftware com>]

On Wed, Oct 22, 2008 at 09:39:16PM +0200, Andreas Lang wrote:
> After working around, I think I found a bug within port scaning in an IPv6
> network.
> The Bug is still in version nmap 4.76 and can be described as follows:
> By using the parameters -6 and -A to scan the ipv6-localhost ::1 for a non
> root user the result is like expected the list of all open ports and its
> service behind it. If the same parameters are used for the root user (tested
> on a linux machine with 2.6.24 kernel) then the message is posted, that the
> parameters are not supported for IPv6 scanning. And IPv6 is only avalible
> for connect() scan ... etc.
>
> I think, if the scanning technique with the selected parameters work well
> for non-root users, then the same parameter set must work for the root user.

The reason for that is that -A has a different meaning for root and
non-root users. For non-root it means -sC -sV. For root it means
-sC -sV -O --traceroute. Maybe it's a good idea to have have it drop to
-sC -sV for IPv6 scanning too. A patch like this would do it:

===================================================================
--- nmap.cc     (revision 11109)
+++ nmap.cc     (working copy)
@@ -957,7 +957,7 @@
 #ifndef NOLUA
       o.script = 1;
 #endif
-      if (o.isr00t) {
+      if (o.isr00t && o.af() == AF_INET) {
                o.osscan = OS_SCAN_DEFAULT;
                o.traceroute = true;
       }

But that has the unfortunate effect that "nmap -6 -A" will be different
than "nmap -A -6". We already require -6 to come at the beginning of the
command line most of the time anyway.

My inclination is to leave things like they are and not add more special
logic to -A.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org