[ipv6hackers] Nmap patch for TCP Idle Scan in IPv6

Mathias Morbitzer m.morbitzer at runbox.com
Mon Oct 28 15:55:07 CET 2013 

Hi Folks, 

Finally, i managed to send you the update on my work. As reminder, I did my masters thesis on porting the TCP Idle Scan from IPv4 to IPv6. 

For the motivated reader, my masterthesis, which covers all kinds of details as well as similar scanning methods which are not related to IPv6, can be found here: http://www.ru.nl/publish/pages/578936/m_morbitzer_masterthesis.pdf

For the normal reader, a much shorter article covering only the TCP Idle Scan in IPv6 and the most important details can be found here: https://www.researchgate.net/publication/256846709_TCP_Idle_Scans_in_IPv6/file/9c960523ff1da8b77a.pdf

For the lazy reader, the slides of the presentation which I gave last week and the week before at HitB malaysia and hack.lu can be found here: http://conference.hitb.org/hitbsecconf2013kul/materials/D1T2%20-%20Mathias%20Morbitzer%20-%20TCP%20Idle%20Scans%20in%20IPv6.pdf

Additionally, I am really happy and proud to announce that since yesterday, Nmap also supports the TCP Idle Scan in IPv6. You can get the latest version of Nmap from the svn with "svn co https://svn.nmap.org/nmap". I was not able to test the scan on the Internet yet, since so far I did not have access to an IPv6 uplink. 
Known issues: If you state your own host as idle host, the program will die at a certain point reporting a malformed packet. I will try to fix this as soon as I have time.  

I'm looking forward to any kind of feedback regarding the technique itself or the Nmap implementation!

Cheers,
Mathias

On Sun, 9 Jun 2013 16:40:42 +0200 (CEST), Mathias Morbitzer <m.morbitzer at student.ru.nl> wrote:

> Hi Fernando, 
> 
> thanks for mentioning, I did not see that. 
> 
> I uploaded the patch to pastebin.ca: http://www.pastebin.ca/2394155
> Hope this works, if not, let me know. 
> 
> The overview of the IPIDs is here: 
> 
> System | Assignment of Identification
>  -----------------------------------------------------------------
>  Android 4.1 (Linux 3.0.15) | Per host, incremental (1)
>  FreeBSD 7.4 | Random
>  FreeBSD 9.1 | Random
>  iOS 6.1.2 | Random
>  Linux 2.6.32 | Per host, incremental (2)
>  Linux 3.2 | Per host, incremental (1)
>  Linux 3.8 | Per host, incremental
>  OpenBSD 4.6 | Random
>  OpenBSD 5.2 | Random
>  OS X 10.6.7 | Global, incremental (3)
>  OS X 10.8.3 | Random
>  Solaris 11 | Per host, incremental
>  Windows Server 2003 R2 Standard 64bit, SP2 | Global, incremental
>  Windows Server 2008 Standard 32bit,  SP1 | Global, incremental
>  Windows Server 2008 R2 Standard 64bit, SP1 | Global, incremental by 2
>  Windows Server 2012 Standard 64bit | Per host, incremental by 2
>  Windows XP Professional 32bit, SP3 | Global, incremental (4)
>  Windows Vista Business 64bit, SP1 | Global, incremental
>  Windows 7 Home Premium 32bit, SP1 | Global, incremental by 2
>  Windows 7 Ultimate 32bit, SP1 | Global, incremental by 2
>  Windows 8 Enterprise 32 bit | Per host, incremental by 2
> ------------------------------------------------------------------
> (1) Hosts calculates wrong TCP checksum for routes with PMTU < 1280
> (2) PMTU < 1280 results in DoS
> (3) Does not accept PMTU < 1280
> (4) IPv6 disabled by default
> ------------------------------------------------------------------
> 
> Cheers,
> Mathias
> 
> ----- Original Message -----
> > From: "Fernando Gont" <fgont at si6networks.com>
> > To: "IPv6 Hackers Mailing List" <ipv6hackers at lists.si6networks.com>
> > Cc: "Mathias Morbitzer" <m.morbitzer at student.ru.nl>
> > Sent: Sunday, 9 June, 2013 2:51:21 PM
> > Subject: Re: [ipv6hackers] Nmap patch for TCP Idle Scan in IPv6
> > Hi, Mathias,
> > 
> > Mailman stripped the attachements (it is configured to do so). Could
> > you
> > please post the files to some web site, and provide the corresponding
> > URLs? -- I could help with that, if needed.
> > 
> > Thanks!
> > 
> > Best regards,
> > Fernando
> > 
> > 
> > 
> > 
> > On 06/09/2013 01:17 PM, Mathias Morbitzer wrote:
> > > Hello,
> > >
> > > Because some people were interested, I'm forwarding here my email
> > > which I submitted on the Nmap mailing list.
> > >
> > > In short terms, I created a patch to implement the TCP Idle Scan for
> > > IPv6 in Nmap. I didn't receive much feedback for the patch so far,
> > > so every feedback is more than welcome :)
> > >
> > > To apply the patch, do a "svn co https://svn.nmap.org/nmap" to get
> > > the latest Nmap version, and then apply the patch.
> > >
> > > Known issues: In case there is an additional extension header to the
> > > fragmentation header, it won't work. If you need another extension
> > > header, let me know, and I will try to fix this.
> > >
> > > I also appended my results on which operating systems apply
> > > incremental/random IPIDs in IPv6. Summed up, try to use a Windows
> > > host (except Windows 8) as idle host ;)
> > >
> > >
> > > Looking forward to your feedback!
> > >
> > >
> > > Cheers,
> > > Mathias
> > >
> > >> Hi everybody,
> > >>
> > >> I managed to port the TCP Idle Scan to IPv6!
> > >>
> > >> My masterthesis as well as a shorter paper on the details will come
> > >> soon,
> > >> but meanwhile let me sum up the details here:
> > >>
> > >> In IPv6, we don't have an IPID in the header. But, there is an
> > >> extension
> > >> header for fragmentation, which provides an IPID. So, all we need
> > >> to do is
> > >> forcing the idle host to append this extension header for
> > >> fragmentation
> > >> each time he is sending a packet.
> > >>
> > >> RFC 1981 says if an ICMPv6 Packet Too Big message is received, and
> > >> an MTU
> > >> smaller than the IPv6 minimum MTU is announced within, the
> > >> receiving host
> > >> should simply append a fragmentation header to each IPv6 packet on
> > >> the path.
> > >>
> > >> So we can achieve the TCP Idle Scan in IPv6 by first sending a ping
> > >> with a
> > >> lot of data to the idle host. When the idle host replies, we tell
> > >> it in an
> > >> ICMPv6 packet Too Big message that the reply is to huge, we only
> > >> support a
> > >> maximum MTU of less than 1280 bytes, which is the IPv6 minimum MTU.
> > >> From
> > >> now on, all IPv6 packets being sent from the idle host to us will
> > >> have an
> > >> extension header for fragmentation, which contains an IPID.
> > >>
> > >> Now we execute the same step for the path from the idle host to the
> > >> target. We spoof a ping from the target to the idle host, and after
> > >> the
> > >> idle host sent the answer, we send an ICMPv6 packet Too Big message
> > >> that
> > >> the MTU of the target is smaller than 1280 bytes, so from now on
> > >> the idle
> > >> host will also append the fragmentation header there.
> > >>
> > >> Afterwards, the TCP Idle Scan in IPv6 works the same way as in IPv4
> > >> - just
> > >> that the IPID is not directly in the IPv6 header, but in the
> > >> extension
> > >> header for fragmentation.
> > >>
> > >> Additional cool stuff: Compared to IPv4, the IPID is not used (and
> > >> incremented) for every IPv6 packet sent, but only for those which
> > >> use the
> > >> extension header for fragmentation. This means that our idle host
> > >> actually
> > >> does not need to be idle, it just shouldn't send fragmented
> > >> packages!
> > >>
> > >>
> > >> I hope my explanation is not too short and understandable :)
> > >>
> > >>
> > >> However, to show that it really works, I also tried to implement
> > >> the scan
> > >> in Nmap. To do so, I hacked idle_scan.cc, and used most of the
> > >> stuff which
> > >> was already there. What I had to add was the sending of the pings
> > >> and the
> > >> ICMPv6 packet too big messages for the initialization, and I
> > >> changed the
> > >> parts where the IPID is accessed, so that it works for IPv4 and
> > >> IPv6.
> > >>
> > >> The usage is the same as using the scan in IPv4: -sI
> > >> <idlehost:probeport>
> > >> for the idlescan, plus add the -6 switch for IPv6.
> > >>
> > >> I tested my patch with Windows 7 Ultimate, and Linux 3.8 (but there
> > >> is
> > >> does not work, the IPIDs are on a per-host-base).
> > >>
> > >> The patch is not perfect yet. There are still some things which
> > >> need to be
> > >> improved, but I wanted to get a first feedback to know if i can
> > >> continue
> > >> working on it this way. Also, my C/C++ knowledge is not the best,
> > >> so let me
> > >> know if I made bigger mistakes.
> > >>
> > >>
> > >> Cheers,
> > >> Mathias
> > >>
> > >>
> > >> _______________________________________________
> > >> Ipv6hackers mailing list
> > >> Ipv6hackers at lists.si6networks.com
> > >> http://lists.si6networks.com/listinfo/ipv6hackers
> > 
> > 
> > --
> > Fernando Gont
> > SI6 Networks
> > e-mail: fgont at si6networks.com
> > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

More information about the Ipv6hackers mailing list