Nmap Development mailing list archives
Re: [PATCH] TCP Idle Scan in IPv6
From: David Fifield <david () bamsoftware com>
Date: Sun, 3 Nov 2013 12:25:38 -0800
On Mon, Oct 14, 2013 at 06:00:10PM +0200, Mathias Morbitzer wrote:
On Sun, 13 Oct 2013 11:03:49 -0700, david <david () bamsoftware com> wrote:The attached patch should fix all the issues pointed out.I'm having some trouble getting results with this patch. I set up a test IPv6 network: abcd::1 GNU/Linux scanning host abcd::2 Windows 7 VM zombie abcd::3 GNU/Linux target Is there any more information I can send you?Are you testing on a physical network, or with VMs? I did most of my tests with VMs, and sometimes encountered a slightly different behavior when I used a physical host as idle host. Of course, it should work in both situations, but this could be the reason why it works for me, but not for you. And because it could be a TCP checksum problem: Which Linux version are you using on the scanning host and the target? ?
They were all VMs. The Linux version was 3.10. But I think I found the
cause. I tried using these link-local addresses instead:
fe80::abcd:1 GNU/Linux scanning host
fe80::abcd:2 Windows 7 VM zombie
fe80::abcd:3 GNU/Linux target
Before using these addresses; I noticed that the scanning host was
sending ICMPv6 Redirect messages. Now using these addresses, I get what
looks like correct behavior:
$ sudo ./nmap -Pn -6 --top-ports 10 -sI '[fe80::abcd:2]:22' fe80::abcd:3
Starting Nmap 6.41SVN ( http://nmap.org ) at 2013-10-26 23:07 PDT
Idle scan using zombie fe80::abcd:2 (fe80::abcd:2:22); Class: Incrementing by 2
Nmap scan report for fe80::abcd:3
Host is up (0.021s latency).
PORT STATE SERVICE
21/tcp closed|filtered ftp
22/tcp open ssh
23/tcp closed|filtered telnet
25/tcp closed|filtered smtp
80/tcp closed|filtered http
110/tcp closed|filtered pop3
139/tcp closed|filtered netbios-ssn
443/tcp closed|filtered https
445/tcp closed|filtered microsoft-ds
3389/tcp closed|filtered ms-wbt-server
Trying to use the Linux host as a zombie to scan Windows doesn't work,
as expected:
$ sudo ./nmap -Pn -6 --top-ports 10 -sI '[fe80::abcd:3]:22' fe80::abcd:2
Starting Nmap 6.41SVN ( http://nmap.org ) at 2013-10-26 23:07 PDT
Idle scan using zombie fe80::abcd:3 (fe80::abcd:3:22); Class: Incremental
Even though your Zombie (fe80::abcd:3; fe80::abcd:3) appears to be vulnerable to IP ID sequence prediction (class:
Incremental), our attempts have failed. This generally means that either the Zombie uses a separate IP ID base for
each host (like Solaris), or because you cannot spoof IP packets (perhaps your ISP has enabled egress filtering to
prevent IP spoofing), or maybe the target network recognizes the packet source as bogus and drops them
QUITTING!
I merged your patch in r32469. Thanks so much!
David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [PATCH] TCP Idle Scan in IPv6 david (Oct 13)
- Re: [PATCH] TCP Idle Scan in IPv6 Mathias Morbitzer (Oct 14)
- Re: [PATCH] TCP Idle Scan in IPv6 David Fifield (Nov 03)
- Re: [PATCH] TCP Idle Scan in IPv6 Mathias Morbitzer (Nov 23)
- Re: [PATCH] TCP Idle Scan in IPv6 David Fifield (Nov 03)
- Re: [PATCH] TCP Idle Scan in IPv6 Mathias Morbitzer (Oct 14)