Nmap Development mailing list archives

Re: IPv6 OS Detection: Call for fingerprinters!!

From: Patrik Karlsson <patrik () cqure net>
Date: Tue, 5 Jul 2011 19:26:40 +0200


On Jul 5, 2011, at 5:11 PM, Luis MartinGarcia. wrote:

On 07/05/2011 03:30 PM, Patrik Karlsson wrote:

On Jul 5, 2011, at 2:01 PM, Luis MartinGarcia. wrote:

On 07/05/2011 01:51 PM, Patrik Karlsson wrote:

On Jul 4, 2011, at 6:28 PM, Luis MartinGarcia. wrote:

NOTE: It's Monday. Today many of you should have access to IPv6 boxes,
so I resend this call for fingerprinters.


Hi!

As you may know, David and I are working on a new OS detection
engine for IPv6 hosts. At the moment we are in a research phase
and we need your help to collect a few preliminary fingerprints
that we can analyze and use to refine our algorithms.

Basically we need people to run a python script against
some IPv6 box. The script stores the results in a file with a name
like nmap6fp62102933.6fp. We'd like you to send that file
to this address: david+luis () nmap org

Below you can find some simple instructions on how to run the script.

WARNING: Please do NOT run the script against any critical box,
as it performs tests that involve sending some weird IPv6 packets
that might crash some sloppy implementations.

Thank you very much for your help!

Best regards,

Luis MartinGarcia.



== GENERAL STEPS ==

1. Download the script from:
http://nmap.org/svn/nping/nping-dev/ipv6fp.py

2. Make sure you have Python and Scapy installed in your system
(See below for details on how to install them)

3. Collect the following information:
 - Target's IPv6 address
 - Target's IPv4 address
 - An open port in the target

4. Run the script (See instructions below).

5. Send the results file that it produces to david+luis () nmap org



== RUNNING THE SCRIPT ==

A. The easy way: let the script request all details interactively
 [Run as root]: ./ipv6fp.py --interactive

B. If the above does not work or you think interactive prompts are for
 cowards, run it with real command line parameters:

B.1 If the IPv6 host is on the local link:

B.1.1 Target has a link local address like fe80::20c:29ff:fe7d:c25b

   [Run as root]: ./ipv6fp.py TARGET_IPV6_ADDRESS --addr4 \
   TARGET_IPV4_ADDRESS --ot OPEN_PORT_IN_TARGET --interface \
   IFACE_NAME

B.1.2 Target is on-link but its address is of global scope like
   2600:3c01::f03c:91ff:fe93:cd19.

  Try the first command, and then the second if it does not work:

   [Run as root]: ./ipv6fp.py TARGET_IPV6_ADDRESS --ot 80 --addr4 \
     TARGET_IPV4_ADDRESS --interface IFACE_NAME --send-eth

   [Run as root]: ./ipv6fp.py TARGET_IPV6_ADDRESS --ot 80 --addr4 \
     TARGET_IPV4_ADDRESS --send-ip

B.2 If the IPv6 host is more than one hop away.

 [Run as root]: ./ipv6fp.py 2600:3c01::f03c:91ff:fe93:cd19 --addr4 \
   TARGET_IPV4_ADDRESS --ot 80


!!! Note that you have to replace TARGET_IPV6_ADDRESS with an actual
IPv6 address, OPEN_PORT_IN_TARGET with the number of an open port
in the box, and IFACE_NAME  with the name of the appropriate network
interface.  Parameter --addr4 is optional,  so if the target host does
not have an IPv4 address, it can be omitted. However,  if it does have
an IPv4 address, please provide it, as this will improve our results.



==HOW TO INSTALL PYTHON AND SCAPY==

+ You need to have Python and Scapy to run the script. To
 install scapy, follow these steps:

 # 1. Download latest version from:
     wget secdev.org/projects/scapy/files/scapy-latest.tar.gz

 # 2. Uncompress the file,
     tar xvf scapy-latest.tar.gz

 # 3. CD into the new directory
     cd scapy-2.1.0

 # 4. Build and install
     python setup.py build --force
     [AS ROOT] python setup.py install --force

Alternatively, you may install scapy in Debian/Ubuntu running
"sudo apt-get install scapy" or in RedHat/Fedora running "yum install
scapy".


+ To install Python 2.X, follow these instructions:
 http://docs.python.org/using/unix.html

== Troubleshooting ==

+ Command "./ipv6fp.py --help" displays usage information.

+ The script can send packets at the Ethernet level or at the IP
 level. Although it tries to guess the appropriate level
 automatically, you can pass --send-eth or --send-ip to force
 any of them. If you use --send-eth and the script complains
 about not being able to resolve a MAC address, you can pass the
 default gateway mac address explicitly using:
 --gwmac 11:22:33:44:55:66

+ Before sending the OS detection probes, the script runs a little
 connectivity test to ensure you can successfully reach the target.
 If the connectivity test fails but you still want to run the
 script,just pass --force

+ Do not hesitate to contact me for any additional information:
 {luis.mgarc () gmail com}




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

I fail to run the script from Ubuntu 11.04, this is what I get:

Traceback (most recent call last):
File "ipv6fp.py", line 4095, in <module>
  main()
File "ipv6fp.py", line 4058, in main
  set_up_ipv6_tests(target_host6_g)
File "ipv6fp.py", line 2317, in set_up_ipv6_tests
  finals=fragment6(final_packet, fragSize=1480)
File "/usr/lib/pymodules/python2.7/scapy/layers/inet6.py", line 954, in fragment6
  s = str(pkt) # for instantiation to get upper layer checksum right
File "/usr/lib/pymodules/python2.7/scapy/packet.py", line 256, in __str__
  return self.build()
File "/usr/lib/pymodules/python2.7/scapy/packet.py", line 307, in build
  pay = self.build_payload()
File "/usr/lib/pymodules/python2.7/scapy/packet.py", line 299, in build_payload
  return self.payload.build(internal=1)
File "/usr/lib/pymodules/python2.7/scapy/packet.py", line 307, in build
  pay = self.build_payload()
File "/usr/lib/pymodules/python2.7/scapy/packet.py", line 299, in build_payload
  return self.payload.build(internal=1)
File "/usr/lib/pymodules/python2.7/scapy/packet.py", line 308, in build
  p = self.post_build(pkt,pay)
File "/usr/lib/pymodules/python2.7/scapy/layers/inet6.py", line 1148, in post_build
  chksum = in6_chksum(58, self.underlayer, p)
File "/usr/lib/pymodules/python2.7/scapy/layers/inet6.py", line 608, in in6_chksum
  ph6s = str(ph6)
File "/usr/lib/pymodules/python2.7/scapy/packet.py", line 256, in __str__
  return self.build()
File "/usr/lib/pymodules/python2.7/scapy/packet.py", line 304, in build
  pkt = self.do_build()
File "/usr/lib/pymodules/python2.7/scapy/packet.py", line 291, in do_build
  p = f.addfield(self, p, val)
File "/usr/lib/pymodules/python2.7/scapy/fields.py", line 66, in addfield
  return s+struct.pack(self.fmt, self.i2m(pkt,val))
struct.error: 'H' format requires 0 <= number <= 65535

Any ideas?

//Patrik

--

Hi Patrik

This is strange. I've managed to run the script successfully from Ubuntu
11.04. What command line parameters are you using? Are you passing
hostnames instead of IP addresses? What version of scapy are you running
(if you run something like "sudo ./ipv6fp.py TARGET_ADDR --ot 80 --test
1 --force --debug" you should get some debugging output at the end).

Regards,

Luis.


I ran the interactive mode, but the command line you suggested produces the same error.
As far as I can tell, there's no package named scapy on Ubuntu 11.04 instead it refers me to python-scapy.
The version of this package is 2.1.0-1, python is 2.7.1.

I'm running against a link local address, I'm not using any hostnames and I'm supplying eth0 as interface.


Hi Patrick,

I run Python version 2.6.6 and Scapy 2.2.0-dev. To be honest, I don't
know whose fault is it: python or scapy. You run a higher version of
python, that may be more strict than mine. Also, I run a higher version
of Scapy, that may have fixed the problem. There is a bug report in
Scapy's tracker for that bug, but it appears to be in an "open" state
(http://trac.secdev.org/scapy/ticket/600).

Do you think you could install the latest version of Scapy and try
again? If that fixes the problem, I'll have to remove the test that is
causing the failure, as we cannot expect everyone to upgrade their Scapy
to run the script.

Thanks, and best regards,

Luis MartinGarcia.


PD: I also attach a patch that modifies the tests that I think are
causing the problem. If applying the patch makes the script work for
you, please let me know.

<fragmenttestsbug.diff>



Hi Luis,

The patch fixes the problem for me.
I haven't tried to upgrade Scapy yet. Do you still wan't me to test that?

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

IPv6 OS Detection: Call for fingerprinters!! Luis MartinGarcia. (Jul 04)
- Re: IPv6 OS Detection: Call for fingerprinters!! Patrik Karlsson (Jul 05)
  - Re: IPv6 OS Detection: Call for fingerprinters!! Luis MartinGarcia. (Jul 05)
    - Re: IPv6 OS Detection: Call for fingerprinters!! Patrik Karlsson (Jul 05)
    - Re: IPv6 OS Detection: Call for fingerprinters!! Luis Martín García (Jul 05)
    - Re: IPv6 OS Detection: Call for fingerprinters!! Luis MartinGarcia. (Jul 05)
    - Re: IPv6 OS Detection: Call for fingerprinters!! Patrik Karlsson (Jul 05)
    - Re: IPv6 OS Detection: Call for fingerprinters!! Luis MartinGarcia. (Jul 05)
    - Re: IPv6 OS Detection: Call for fingerprinters!! Patrik Karlsson (Jul 05)
    - Re: IPv6 OS Detection: Call for fingerprinters!! Luis MartinGarcia. (Jul 06)
- RE: IPv6 OS Detection: Call for fingerprinters!! Dario Ciccarone (dciccaro) (Jul 06)
  - Re: IPv6 OS Detection: Call for fingerprinters!! Luis MartinGarcia. (Jul 07)
    - RE: IPv6 OS Detection: Call for fingerprinters!! Dario Ciccarone (dciccaro) (Jul 07)
    - Re: IPv6 OS Detection: Call for fingerprinters!! Luis MartinGarcia. (Jul 07)
    - Re: IPv6 OS Detection: Call for fingerprinters!! Luis MartinGarcia. (Jul 11)
    - RE: IPv6 OS Detection: Call for fingerprinters!! Dario Ciccarone (dciccaro) (Jul 12)