Nmap Development mailing list archives

Re: IPv6 Hop Limit as feature in FPEngine

From: Alexandru Geana <alex () alegen net>
Date: Thu, 19 Mar 2015 14:08:42 +0100

Hello devs,

I have made some changes to the patches and attached the new versions to
this email.

It seems weird to conditionally subtract the DS. I don't remember, is
that value always present? Or only when we get an ICMPv6 reply?


The DS value is not always present. It appears depending on whether nmap
is able to get it or not, either via an ICMP response to the U1 probe or
via a traceroute.

The method I thought about now is to check the scan line and see if the
hop distance is present. If it is, then I try to calculate the original
hop limit value. Then I try to guess the original value and take into
consideration an error limit which is 5 if the hop distance was present
and 20 otherwise. The idea is to check

    if def_value - er_limit <= hop_limit and hop_limit <= def_value
        hop_limit = def_value
    else
        hop_limit = -1

for every hop limit in the database and every default_value in {32, 64,
128, 255}. The reason for having different error limits is that, if the
hop distance is available, theoretically we should be able to calculate
the original hop limit. Otherwise, the error limit is higher since we
cannot tell for sure how many hops are on the path. Furthermore it also
helps with interference. For example, if a calculated hop limit is 65 or
66, it most probably means that the value was rewritten to 64 somewhere
on the path and it cannot be used to obtain the original value anymore.

I ran some experiments with different strategies and obtained the
results from the table below. The hlim column has different values found
in the fingerprint database (except -1), raw is the number of packets
with said hop limit without any processing, sl is only using the scan
line when available and nothing more, sl || g is to use the scan line
when available otherwise guess by rounding up to known value when scan
line is not available, sl && g is scan line and always guessing and the
final column is scan line and smart guessing (the algorithm described
above).

In the nmap code I had to make some further changes because I needed the
calculation method as an argument to the vectorize_hlim function. I
wanted to add the distance_calculation_method field to the
FingerPrintResults class. This field is of type dist_calc_method defined
in Target.h. Since Target.h includes FingerPrintResults.h, I could not
include the former in the latter (for the definition of the enum) so I
decided to move it to FingerPrintResults.h. Additionally, I also moved
the distance field from Target to FPR (since it was just a copy) and
updated all other files (osscan2, output, traceroute) to use
FPR->distance.

Let me know what you think of it.

   hlim      raw        sl     sl || g   sl && g   sl && sg
    -1                                                36
    1         6         6
    32                            6         6
    44        1
    45                  1         1
    50        16        8
    51        4         8         8
    52        36        16
    53        11
    54        14
    55        20
    56        12        4         4
    57        25        18        5
    58        37        25
    59        36        22
    60       223       187        33
    61        20        8
    62        48        10        10
    63       143        81        21
    64       1842      2097      2403      2485      2467
    65                  3         3
   127        16        16
   128       211       211       227       230       227
   243        23        10
   244        8         8
   246        9
   248        8         8
   249        12        12
   251        27
   252        1
   254        8         8
   255       438       479       525       534       525
   260                  9         9

Best regards,
Alexandru Geana
alegen.net

Attachment: nmap.diff
Description:

Attachment: ipv6tests.diff
Description:

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Feb 23)
- Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Feb 23)
  - Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Feb 24)
    - Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Feb 24)
    - Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Feb 26)
  - Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Feb 24)
    - Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Mar 11)
    - Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Mar 12)
    - Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Mar 19)
    - Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Mar 19)
    - Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Mar 23)
    - Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Mar 23)
    - Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Mar 26)