[ipv6hackers] Nmap patch for TCP Idle Scan in IPv6

Fernando Gont fgont at si6networks.com
Sun Jun 9 14:51:21 CEST 2013

Hi, Mathias,

Mailman stripped the attachements (it is configured to do so). Could you
please post the files to some web site, and provide the corresponding
URLs? -- I could help with that, if needed.


Best regards,

On 06/09/2013 01:17 PM, Mathias Morbitzer wrote:
> Hello, 
> Because some people were interested, I'm forwarding here my email which I submitted on the Nmap mailing list. 
> In short terms, I created a patch to implement the TCP Idle Scan for IPv6 in Nmap. I didn't receive much feedback for the patch so far, so every feedback is more than welcome :) 
> To apply the patch, do a "svn co https://svn.nmap.org/nmap" to get the latest Nmap version, and then apply the patch. 
> Known issues: In case there is an additional extension header to the fragmentation header, it won't work. If you need another extension header, let me know, and I will try to fix this. 
> I also appended my results on which operating systems apply incremental/random IPIDs in IPv6. Summed up, try to use a Windows host (except Windows 8) as idle host ;) 
> Looking forward to your feedback!
> Cheers,
> Mathias
>> Hi everybody,
>> I managed to port the TCP Idle Scan to IPv6!
>> My masterthesis as well as a shorter paper on the details will come soon,
>> but meanwhile let me sum up the details here:
>> In IPv6, we don't have an IPID in the header. But, there is an extension
>> header for fragmentation, which provides an IPID. So, all we need to do is
>> forcing the idle host to append this extension header for fragmentation
>> each time he is sending a packet.
>> RFC 1981 says if an ICMPv6 Packet Too Big message is received, and an MTU
>> smaller than the IPv6 minimum MTU is announced within, the receiving host
>> should simply append a fragmentation header to each IPv6 packet on the path.
>> So we can achieve the TCP Idle Scan in IPv6 by first sending a ping with a
>> lot of data to the idle host. When the idle host replies, we tell it in an
>> ICMPv6 packet Too Big message that the reply is to huge, we only support a
>> maximum MTU of less than 1280 bytes, which is the IPv6 minimum MTU. From
>> now on, all IPv6 packets being sent from the idle host to us will have an
>> extension header for fragmentation, which contains an IPID.
>> Now we execute the same step for the path from the idle host to the
>> target. We spoof a ping from the target to the idle host, and after the
>> idle host sent the answer, we send an ICMPv6 packet Too Big message that
>> the MTU of the target is smaller than 1280 bytes, so from now on the idle
>> host will also append the fragmentation header there.
>> Afterwards, the TCP Idle Scan in IPv6 works the same way as in IPv4 - just
>> that the IPID is not directly in the IPv6 header, but in the extension
>> header for fragmentation.
>> Additional cool stuff: Compared to IPv4, the IPID is not used (and
>> incremented) for every IPv6 packet sent, but only for those which use the
>> extension header for fragmentation. This means that our idle host actually
>> does not need to be idle, it just shouldn't send fragmented packages!
>> I hope my explanation is not too short and understandable :)
>> However, to show that it really works, I also tried to implement the scan
>> in Nmap. To do so, I hacked idle_scan.cc, and used most of the stuff which
>> was already there. What I had to add was the sending of the pings and the
>> ICMPv6 packet too big messages for the initialization, and I changed the
>> parts where the IPID is accessed, so that it works for IPv4 and IPv6.
>> The usage is the same as using the scan in IPv4: -sI <idlehost:probeport>
>> for the idlescan, plus add the -6 switch for IPv6.
>> I tested my patch with Windows 7 Ultimate, and Linux 3.8 (but there is
>> does not work, the IPIDs are on a per-host-base).
>> The patch is not perfect yet. There are still some things which need to be
>> improved, but I wanted to get a first feedback to know if i can continue
>> working on it this way. Also, my C/C++ knowledge is not the best, so let me
>> know if I made bigger mistakes.
>> Cheers,
>> Mathias
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list