Re: [RFC PATCH] Add --win option to set receive window size in TCP SYN Scan

[Daniel Miller <bonsaiviking () gmail com>]

Bernhard,

This is very interesting work, and I think that putting effort towards this
is worthwhile. I did address the TCP Options in a small way in r34903 [1],
which consolidates the definition of the TCP options into a preprocessor
definition in nmap.h. This way the default can be changed at compile time.

Regarding the TCP Window, it would probably be a good idea to change the
compile-time default to start with. Since it is only used in raw-SYN probe
situations where a full TCP connection is not established, the choice of
value does not actually affect the scan results or speed. Using the
fingerprint file from p0f [2], it is clear that the 1024 value Nmap uses is
unique among TCP clients. A much better choice might be 65535, which shows
up in 41 signatures (more than any other single value), including FreeBSD,
Windows XP, and OS X.

It's important to keep in mind that IDS evasion like this is an arms race
of sorts that can have unintended consequences:

* You can end up making your tool *more* fingerprintable [3]
* You raise the bar for detection (possibly a good thing!)
* You introduce complexity in your tool, which can lead to bugs.
* You make IDS evasion accessible to more people, who can use it for
nefarious purposes.
* You make it more likely that IDS rule writers will consider your tool to
be evil.

Dan

[1] http://seclists.org/nmap-dev/2015/q3/88
[2] http://lcamtuf.coredump.cx/p0f3/
[3] http://blog.erratasec.com/2013/10/fun-with-ids-funtime.html

On Mon, Jul 13, 2015 at 6:53 AM, <bernhard.thaler () r-it at> wrote:

> Hi Fyodor,
>
> I sticked to nping which has a --win command line option, so I thought for
> consistency it would make sense for nmap as well.
>
> I would even say for evasion we need to think about TCP options as
> well...Nmap currently sets only MSS option, but not others (e.g. Windows 7
> sets mss,nop,ws,nop,nop,sack as TCP options).
>
> A "sane" default may be to choose settings according to the platform Nmap
> is running on...eg. when run on a Windows machine using Windows default
> values for TTL/HLIM, window size and TCP options and when running on a
> Linux  machine using current settings for these fields as well. If Nmap
> probes would be similar to other TCP SYN packets originating from the box
> performing the scan (e.g. start of connection for normal web traffic) this
> would most likely be enough to avoid detection.
>
> I fear there is no smart way to really check if Nmap probes are detected
> and blocked due to TTL/HLIM, window size or TCP option values. But if
> people manually detect this is/may be the reason for blocking they may want
> to have a command-line option to set these values according to their needs
> and manually evade detection. It may not be flags most people will commonly
> use though.
>
> I will have a look into this...but I think both will be needed, a default
> that fits most cases and command-line options to override the default when
> needed.
>
> Regards,
> Bernhard
>
>
>
> ----------------------------------------
> Raiffeisen Informatik GmbH, Firmensitz Wien, Firmenbuchnr. 88239p,
> Handelsgericht Wien, DVR 0486809, UID ATU 16351908
>
> Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail
> dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche
> Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden.
> Correspondence with above mentioned sender via e-mail is only for
> information purposes. This medium may not be used for exchange of
> legally-binding communications.
> ----------------------------------------
> [image: Inactive hide details for fyodor---13.07.2015 11:49:01---On Wed,
> Jul 8, 2015 at 7:07 AM, Bernhard Thaler <bernhard.thaler@r-it.]fyodor---13.07.2015
> 11:49:01---On Wed, Jul 8, 2015 at 7:07 AM, Bernhard Thaler <
> bernhard.thaler () r-it at> wrote:
>
> Von: fyodor () nmap org
> An: bernhard.thaler () r-it at,
> Kopie: dev () nmap org
> Datum: 13.07.2015 11:49
> Betreff: Re: [RFC PATCH] Add --win option to set receive window size in
> TCP SYN Scan
> ------------------------------
>
>
>
> On Wed, Jul 8, 2015 at 7:07 AM, Bernhard Thaler <*bernhard.thaler () r-it at*
> <bernhard.thaler () r-it at>> wrote:
>
>    Some IPS seem to detect and block nmap probes due to hard-coded TCP
>    receive
>    window size of 1024.
>
>    Add --win option to set any receive window size 0 < win < 65535 to
>    avoid being
>    detected by hard-coded window size 1024.
>
>
> Hi Bernhard, and thanks for the patch!  I feel like Nmap has too many
> command line options already, so the bar to adding new ones is pretty high
> in terms of how common and essential the option is for users.  In this
> case, perhaps there is another solution.  If there is a more common window
> size, perhaps we could switch to using that by default.  Or maybe Nmap
> could choose from a number of common window sizes at startup, though that
> means a bit more complexity and code to maintain than the
> choosing-another-static-value approach.  Also, we shouldn't change the
> packets sent by OS detection since the window size of those may affect the
> responses.
>
> Solutions which are "smart" enough to solve problems without requiring the
> user to specify some obscure option are likely to improve the scanning
> experience for far more people.  I'm glad you sent the patch though because
> it does make it easier for people who do want to change the Window size to
> apply your patch and do so.
>
> Cheers,
> Fyodor
>
>
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/