Nmap Development mailing list archives
Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan
From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 13 Jul 2015 23:15:09 -0500
Bernhard, This is very interesting work, and I think that putting effort towards this is worthwhile. I did address the TCP Options in a small way in r34903 [1], which consolidates the definition of the TCP options into a preprocessor definition in nmap.h. This way the default can be changed at compile time. Regarding the TCP Window, it would probably be a good idea to change the compile-time default to start with. Since it is only used in raw-SYN probe situations where a full TCP connection is not established, the choice of value does not actually affect the scan results or speed. Using the fingerprint file from p0f [2], it is clear that the 1024 value Nmap uses is unique among TCP clients. A much better choice might be 65535, which shows up in 41 signatures (more than any other single value), including FreeBSD, Windows XP, and OS X. It's important to keep in mind that IDS evasion like this is an arms race of sorts that can have unintended consequences: * You can end up making your tool *more* fingerprintable [3] * You raise the bar for detection (possibly a good thing!) * You introduce complexity in your tool, which can lead to bugs. * You make IDS evasion accessible to more people, who can use it for nefarious purposes. * You make it more likely that IDS rule writers will consider your tool to be evil. Dan [1] http://seclists.org/nmap-dev/2015/q3/88 [2] http://lcamtuf.coredump.cx/p0f3/ [3] http://blog.erratasec.com/2013/10/fun-with-ids-funtime.html On Mon, Jul 13, 2015 at 6:53 AM, <bernhard.thaler () r-it at> wrote:
Hi Fyodor, I sticked to nping which has a --win command line option, so I thought for consistency it would make sense for nmap as well. I would even say for evasion we need to think about TCP options as well...Nmap currently sets only MSS option, but not others (e.g. Windows 7 sets mss,nop,ws,nop,nop,sack as TCP options). A "sane" default may be to choose settings according to the platform Nmap is running on...eg. when run on a Windows machine using Windows default values for TTL/HLIM, window size and TCP options and when running on a Linux machine using current settings for these fields as well. If Nmap probes would be similar to other TCP SYN packets originating from the box performing the scan (e.g. start of connection for normal web traffic) this would most likely be enough to avoid detection. I fear there is no smart way to really check if Nmap probes are detected and blocked due to TTL/HLIM, window size or TCP option values. But if people manually detect this is/may be the reason for blocking they may want to have a command-line option to set these values according to their needs and manually evade detection. It may not be flags most people will commonly use though. I will have a look into this...but I think both will be needed, a default that fits most cases and command-line options to override the default when needed. Regards, Bernhard ---------------------------------------- Raiffeisen Informatik GmbH, Firmensitz Wien, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908 Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden. Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for exchange of legally-binding communications. ---------------------------------------- [image: Inactive hide details for fyodor---13.07.2015 11:49:01---On Wed, Jul 8, 2015 at 7:07 AM, Bernhard Thaler <bernhard.thaler@r-it.]fyodor---13.07.2015 11:49:01---On Wed, Jul 8, 2015 at 7:07 AM, Bernhard Thaler < bernhard.thaler () r-it at> wrote: Von: fyodor () nmap org An: bernhard.thaler () r-it at, Kopie: dev () nmap org Datum: 13.07.2015 11:49 Betreff: Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan ------------------------------ On Wed, Jul 8, 2015 at 7:07 AM, Bernhard Thaler <*bernhard.thaler () r-it at* <bernhard.thaler () r-it at>> wrote: Some IPS seem to detect and block nmap probes due to hard-coded TCP receive window size of 1024. Add --win option to set any receive window size 0 < win < 65535 to avoid being detected by hard-coded window size 1024. Hi Bernhard, and thanks for the patch! I feel like Nmap has too many command line options already, so the bar to adding new ones is pretty high in terms of how common and essential the option is for users. In this case, perhaps there is another solution. If there is a more common window size, perhaps we could switch to using that by default. Or maybe Nmap could choose from a number of common window sizes at startup, though that means a bit more complexity and code to maintain than the choosing-another-static-value approach. Also, we shouldn't change the packets sent by OS detection since the window size of those may affect the responses. Solutions which are "smart" enough to solve problems without requiring the user to specify some obscure option are likely to improve the scanning experience for far more people. I'm glad you sent the patch though because it does make it easier for people who do want to change the Window size to apply your patch and do so. Cheers, Fyodor _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan Bernhard Thaler (Jul 08)
- Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan David Fifield (Jul 08)
- Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan Daniel Miller (Jul 08)
- Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan Fyodor (Jul 12)
- Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan Jacek Wielemborek (Jul 13)
- Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan bernhard . thaler (Jul 13)
- Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan Daniel Miller (Jul 13)
- Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan Fyodor (Jul 19)
- Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan David Fifield (Jul 08)