[ipv6hackers] Nmap patch for TCP Idle Scan in IPv6

Mathias Morbitzer m.morbitzer at student.ru.nl
Sun Jun 9 13:17:32 CEST 2013


Because some people were interested, I'm forwarding here my email which I submitted on the Nmap mailing list. 

In short terms, I created a patch to implement the TCP Idle Scan for IPv6 in Nmap. I didn't receive much feedback for the patch so far, so every feedback is more than welcome :) 

To apply the patch, do a "svn co https://svn.nmap.org/nmap" to get the latest Nmap version, and then apply the patch. 

Known issues: In case there is an additional extension header to the fragmentation header, it won't work. If you need another extension header, let me know, and I will try to fix this. 

I also appended my results on which operating systems apply incremental/random IPIDs in IPv6. Summed up, try to use a Windows host (except Windows 8) as idle host ;) 

Looking forward to your feedback!


> Hi everybody,
> I managed to port the TCP Idle Scan to IPv6!
> My masterthesis as well as a shorter paper on the details will come soon,
> but meanwhile let me sum up the details here:
> In IPv6, we don't have an IPID in the header. But, there is an extension
> header for fragmentation, which provides an IPID. So, all we need to do is
> forcing the idle host to append this extension header for fragmentation
> each time he is sending a packet.
> RFC 1981 says if an ICMPv6 Packet Too Big message is received, and an MTU
> smaller than the IPv6 minimum MTU is announced within, the receiving host
> should simply append a fragmentation header to each IPv6 packet on the path.
> So we can achieve the TCP Idle Scan in IPv6 by first sending a ping with a
> lot of data to the idle host. When the idle host replies, we tell it in an
> ICMPv6 packet Too Big message that the reply is to huge, we only support a
> maximum MTU of less than 1280 bytes, which is the IPv6 minimum MTU. From
> now on, all IPv6 packets being sent from the idle host to us will have an
> extension header for fragmentation, which contains an IPID.
> Now we execute the same step for the path from the idle host to the
> target. We spoof a ping from the target to the idle host, and after the
> idle host sent the answer, we send an ICMPv6 packet Too Big message that
> the MTU of the target is smaller than 1280 bytes, so from now on the idle
> host will also append the fragmentation header there.
> Afterwards, the TCP Idle Scan in IPv6 works the same way as in IPv4 - just
> that the IPID is not directly in the IPv6 header, but in the extension
> header for fragmentation.
> Additional cool stuff: Compared to IPv4, the IPID is not used (and
> incremented) for every IPv6 packet sent, but only for those which use the
> extension header for fragmentation. This means that our idle host actually
> does not need to be idle, it just shouldn't send fragmented packages!
> I hope my explanation is not too short and understandable :)
> However, to show that it really works, I also tried to implement the scan
> in Nmap. To do so, I hacked idle_scan.cc, and used most of the stuff which
> was already there. What I had to add was the sending of the pings and the
> ICMPv6 packet too big messages for the initialization, and I changed the
> parts where the IPID is accessed, so that it works for IPv4 and IPv6.
> The usage is the same as using the scan in IPv4: -sI <idlehost:probeport>
> for the idlescan, plus add the -6 switch for IPv6.
> I tested my patch with Windows 7 Ultimate, and Linux 3.8 (but there is
> does not work, the IPIDs are on a per-host-base).
> The patch is not perfect yet. There are still some things which need to be
> improved, but I wanted to get a first feedback to know if i can continue
> working on it this way. Also, my C/C++ knowledge is not the best, so let me
> know if I made bigger mistakes.
> Cheers,
> Mathias

More information about the Ipv6hackers mailing list