Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nping development

From: "Raul Siles" <raul.siles () gmail com>
Date: Tue, 6 Jan 2009 13:10:08 +0100
Hi,
Just as a suggestion for future NPing versions (I understand this is
not a design requirement of the initial version), I recommend to
develop the tool architecture so that it can be easily extended
throughout modules in the future with other layer-2 protocols. ARP
ping is the first step, but if this tool becomes the hping-like
reference, as it should be, it would be great to be able to craft
other layer-2 packets, such as STP, CDP, VTP, DTP, 802.1Q, 802.1X,
etc.

Best regards,
--
Raul Siles
www.raulsiles.com



On Mon, Jan 5, 2009 at 4:54 PM, Henri Doreau <henri.doreau () gmail com> wrote:

Hello,


As David advised me to do, here is the list of options I intend to
support for APing2. The goal is to support all the original Hping2
ones plus ARP pings and unprivilegied probes (tcp and udp). In a word
: conform to the Nping's requirements published at
http://nmap.org/SoC/Ncat.html.
I didn't keep the hping's --apd-send option.


MISC
 -h  --help                        print out an help screen
 -v  --version                     print out version number
 -c  --count <packets>             number of packets to send
 --max-retries <val>               abort after <val> unreplied probes
 -i  --interval <interval>         idle time between probes
 -e  --interface <interface>       force using this interface
 -v                                increase verbosity level
 -z  --bind                        increase ttl on ctrl+z (default to
destination port)
 -Z  --unbind                      unbind ctrl+z
 -6                                use IPv6

MODE
 default mode                      TCP
 -P0                               RAW IP mode
 -PI                               ICMP mode
 -PU                               UDP mode
 -PA                               ARP mode
 --listen <sign>                   listening mode
 --unprivilegied                   assume the user is not privilegied
(only with TCP and UDP modes)

ETHERNET
 --spoof-mac <mac address>         spoof MAC address
 --dest-mac <mac address>          set destination MAC address
 --eth-type <val>                  set ethernet type

ARP
 --hardware-type <val>             set hardware type
 --protocol-type <val>             set protocol type
 --hardware-size <val>             hardware addresses size
 --protocol-size <val>             hardware addresses size
 --arp-opcode <val>                set arp operation code
 --arp-sender-hw <mac address>     set ARP sender MAC address
 --arp-sender-proto <IP address>   set ARP sender protocol address
 --arp-target-hw <mac address>     set ARP target MAC address
(default 00:00:00:00:00:00)

IP
 -S <ip address>                   spoof source IP address

(I'm not sure for these two ones, how useful do you find them?
especially the first one which would do the same thing than nmap's -iR : )
 --rand-dest                       randomize destination addresses
 --rand-source                     randomize source address
( ------------------------------------ )

 -t  --ttl <val>                   ttl (default 64)
 -N  --id <val>                    id (default random)
 -W  --winid                       use win* id byte ordering
 -r  --rel                         relativize id field
 -f  --frag                        split packets in more frag.
 --morefrag                        set more fragments flag
 --dontfrag                        set dont fragment flag
 -g  --fragoff <val>               set the fragment offset
 -m  --mtu <val>                   set virtual mtu, implies --frag if
packet size > mtu
 --tos <val>                       type of service (default 0x00)
 -H  --ipproto <proto>             set the IP protocol field, only in
RAW IP mode

ICMP
 -C  --icmptype <val>              icmp type (default echo request)
 -K  --icmpcode <val>              icmp code (default 0)
 --force-icmp                      send all icmp types (default send
only supported types)
 --icmp-gw <ip addr>               set gateway address for ICMP
redirect (default 0.0.0.0)
 --icmp-ipver <val>                Set IP version of IP header
contained into ICMP data
 --icmp-iphlen <val>               Set  IP  header  length  of  IP
header contained into ICMP data,
 --icmp-iplen <val>                Set IP packet length of IP  header
 contained  into  ICMP  data,
 --icmp-ipid <val>                 Set IP id of IP header contained
into ICMP data.
 --icmp-ipproto <val>              Set IP protocol of IP header
contained into ICMP  data.
 --icmp-cksum <val>                Set a custom ICMP checksum.
 --icmp-ts                         Alias for --icmptype 13 (ICMP
timestamp requests).
 --icmp-addr                       Alias for --icmptype 17 (ICMP
address mask requests).

 --icmp-ipver <val>                set ip version
 --icmp-iphlen <val>               set ip header lenght
 --icmp-iplen <val>                set ip total lengtht
 --icmp-ipid <val>                 set ip id
 --icmp-ipproto <val>              set ip protocol
 --icmp-ipsrc <val>                set ip source
 --icmp-ipdst <val>                set ip destination
 --icmp-srcport <val>              set tcp/udp source port
 --icmp-dstport <val>              set tcp/udp destination port
 --icmp-cksum <val>                set icmp checksum


UDP/TCP
 -g  --source-port <port>          source port
 -p  --destport [+][+]<port>       destination port(default 0) ctrl+z inc/dec
 -k  --keep                        don't change the source port bewteen probes
 -w  --win <size>                  tcp window size (default 64)
 -O  --tcpoff <val>                set fake tcp data offset
(instead of tcphdrlen / 4)
 -Q  --seqnum                      shows only tcp sequence number
 --badsum                          send packets with a bad IP checksum
 -M  --seq                         set TCP sequence number

(--- There I'm not sure, according to you what were the best choice
between --- )
 -pN/pF/pX                         TCP Null, FIN, and Xmas probing
 --tcpflags <flags>                Customize TCP probe flags
(--- and/or --- )
 -F  --fin                         set FIN flag
 -S  --syn                         set SYN flag
 -R  --rst                         set RST flag
 -P  --push                        set PUSH flag
 -A  --ack                         set ACK flag
 -U  --urg                         set URG flag
 -X  --xmas                        set X unused flag (0x40)
 -Y  --ymas                        set Y unused flag (0x80)
( ----------- )

 --tcpexitcode                     use last tcp->th_flags as exit code
 --tcp-timestamp                   enable the TCP timestamp option to
guess the HZ/uptime

COMMON
 --datalength  <val>               data size
 -E  --file                        data from file
 -q --signature <sign>             add signature befor datas
 -x  --hexdump                     dump packets in hex
 -J  --print                       dump printable characters
 -T  --traceroute                  traceroute mode (implies --bind and --ttl 1)
 --tr-stop                         Exit when receive the first not
ICMP in traceroute mode
 --tr-keep-ttl                     Keep the source TTL fixed, useful
to monitor just one hop
 --tr-no-rtt                       Don't calculate/show RTT
information in traceroute mode


Well, not so easy to juggle with flags and find good compromises!
Now waiting for your opinions about these choices.
I attached a copy of this to the email in order to ensure readability.

I wish you an happy new year!
Cheers

Henri


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: