Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Feature request, out-of order fragmentation

From: "Luis MartinGarcia." <luis.mgarc () gmail com>
Date: Fri, 14 May 2010 12:05:00 +0200
Hi Sam,


Nmap does not currently implement this. However, I have a private
version of Nping that implements the fragmentation attacks described in
[1]. There are some problems with it though. First of all, it contains
code that belongs to the tool "Fragrouter", written by Dug Song. The
code is licensed under the BSD license, but I'll have to check with
Fyodor if we can distribute it legally. Another problem is that, not all
operating systems allow user applications to generate this kind of
traffic. My tests show that when issuing 8-byte IP fragments, the first
three fragments (those that contain the TCP header) are just dropped by
the Linux kernel and never put on the wire. I guess there are ways to
tune the kernel to allow this kind of things, and other OS, probably
*BSD, allow it too. There doesn't seem to be any problem with 24-byte
fragments (as the full TCP header fits on the first fragment), so that
may work for you.

So, to sum up. I have code that does what you want, not for nmap but for
nping. If you want to test it, I'd be glad to send you a copy of this
"private" and unstable version of Nping. About Nmap, we'll have to wait
for Fyodor's opinion on this.

Regards,

Luis MartinGarcia.


[1] Ptacek, TH. and Newsham, TN. (1998). "Insertion, Evasion, and Denial
of Service: Eluding Network Intrusion Detection". Secure Networks, Inc.
[Available On-line]
<http://cs.unc.edu/~fabian/course_papers/PtacekNewsham98.pdf>  



On 05/14/2010 11:44 AM, Sam Lavitt wrote:

I have recently found myself working with a commercial firewall and
IDS that is unable to screen fragments that are delivered out-of-order
when under load (normally it will store until the fragments unil the
entire window arrives, but once it hits a preconfigured load
percentage, default 0 (so always), it will forward all fragments as
delivered after checking the individual fragment for payload.)

As a result, I'd like to see a feature for fragmentation and
transmission of packets out of order with a slight delay to make it
more likely for out-of-order delivery, leaving the host to reassemble
them.  This would effectively evade the product.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: