Re: [PATCH] TCP Idle Scan in IPv6

[Mathias Morbitzer <m.morbitzer () student ru nl>]

Thanks for the feedback.

I'm aware of the draft RFC. Since a few weeks, its actually not a draft anymore:
https://tools.ietf.org/html/rfc6946

However, it is for sure that this draft helped me developing the idea. On Thursday, I'm hoping to meet Fernando in 
person to discuss each others work. 

I also did some additional research on which hosts assign their IPID in IPv6 randomly/incrementaly, a screenshot of the 
results is attached. (Can't access them differently right now)


Looking forward to hear from your experiences. Next week I will have time again, then I would like to improve the bits 
in my code which are not very nice yet. 


Cheers,
Mathias

----- Original Message -----
> From: "Luis MartinGarcia" <luis.mgarc () gmail com>
> To: "Mathias Morbitzer" <m.morbitzer () student ru nl>
> Cc: dev () nmap org
> Sent: Monday, 3 June, 2013 7:19:04 PM
> Subject: Re: [PATCH] TCP Idle Scan in IPv6
> Hi Mathias,
>
> I haven't tested your patch, but if what you describe is true, it
> looks
> like an interesting discovery, congratulations!
>
> You might be aware of it already, but just in case you are not,
> Fernando
> Gont just published a draft RFC on the security implications of
> predictable
> fragment fields in IPv6. You may find it interesting.
>
> http://tools.ietf.org/id/draft-ietf-6man-predictable-fragment-id-00.txt
>
> Regards,
>
> Luis MartinGarcia.
>
>
> On Mon, Jun 3, 2013 at 5:59 PM, Mathias Morbitzer
> <m.morbitzer () student ru nl
> > wrote:
>
> > Hi everybody,
> >
> > I managed to port the TCP Idle Scan to IPv6!
> >
> > My masterthesis as well as a shorter paper on the details will come
> > soon,
> > but meanwhile let me sum up the details here:
> >
> > In IPv6, we don't have an IPID in the header. But, there is an
> > extension
> > header for fragmentation, which provides an IPID. So, all we need to
> > do is
> > forcing the idle host to append this extension header for
> > fragmentation
> > each time he is sending a packet.
> >
> > RFC 1981 says if an ICMPv6 Packet Too Big message is received, and
> > an MTU
> > smaller than the IPv6 minimum MTU is announced within, the receiving
> > host
> > should simply append a fragmentation header to each IPv6 packet on
> > the path.
> >
> > So we can achieve the TCP Idle Scan in IPv6 by first sending a ping
> > with a
> > lot of data to the idle host. When the idle host replies, we tell it
> > in an
> > ICMPv6 packet Too Big message that the reply is to huge, we only
> > support a
> > maximum MTU of less than 1280 bytes, which is the IPv6 minimum MTU.
> > From
> > now on, all IPv6 packets being sent from the idle host to us will
> > have an
> > extension header for fragmentation, which contains an IPID.
> >
> > Now we execute the same step for the path from the idle host to the
> > target. We spoof a ping from the target to the idle host, and after
> > the
> > idle host sent the answer, we send an ICMPv6 packet Too Big message
> > that
> > the MTU of the target is smaller than 1280 bytes, so from now on the
> > idle
> > host will also append the fragmentation header there.
> >
> > Afterwards, the TCP Idle Scan in IPv6 works the same way as in IPv4
> > - just
> > that the IPID is not directly in the IPv6 header, but in the
> > extension
> > header for fragmentation.
> >
> > Additional cool stuff: Compared to IPv4, the IPID is not used (and
> > incremented) for every IPv6 packet sent, but only for those which
> > use the
> > extension header for fragmentation. This means that our idle host
> > actually
> > does not need to be idle, it just shouldn't send fragmented
> > packages!
> >
> >
> > I hope my explanation is not too short and understandable :)
> >
> >
> > However, to show that it really works, I also tried to implement the
> > scan
> > in Nmap. To do so, I hacked idle_scan.cc, and used most of the stuff
> > which
> > was already there. What I had to add was the sending of the pings
> > and the
> > ICMPv6 packet too big messages for the initialization, and I changed
> > the
> > parts where the IPID is accessed, so that it works for IPv4 and
> > IPv6.
> >
> > The usage is the same as using the scan in IPv4: -sI
> > <idlehost:probeport>
> > for the idlescan, plus add the -6 switch for IPv6.
> >
> > I tested my patch with Windows 7 Ultimate, and Linux 3.8 (but there
> > is
> > does not work, the IPIDs are on a per-host-base).
> >
> > The patch is not perfect yet. There are still some things which need
> > to be
> > improved, but I wanted to get a first feedback to know if i can
> > continue
> > working on it this way. Also, my C/C++ knowledge is not the best, so
> > let me
> > know if I made bigger mistakes.
> >
> >
> > Cheers,
> > Moe
> >
> >
> > PS: I'm on a conference from Wednesday to Friday, so I won't be able
> > to
> > read my mails.
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Sent through the dev mailing list
> > http://nmap.org/mailman/listinfo/dev
> > Archived at http://seclists.org/nmap-dev/
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/