[ipv6hackers] Nmap patch for TCP Idle Scan in IPv6

Mathias Morbitzer m.morbitzer at student.ru.nl
Sun Jun 9 16:40:42 CEST 2013 

Hi Fernando, 

thanks for mentioning, I did not see that. 

I uploaded the patch to pastebin.ca: http://www.pastebin.ca/2394155
Hope this works, if not, let me know. 

The overview of the IPIDs is here: 

System | Assignment of Identification
 -----------------------------------------------------------------
 Android 4.1 (Linux 3.0.15) | Per host, incremental (1)
 FreeBSD 7.4 | Random
 FreeBSD 9.1 | Random
 iOS 6.1.2 | Random
 Linux 2.6.32 | Per host, incremental (2)
 Linux 3.2 | Per host, incremental (1)
 Linux 3.8 | Per host, incremental
 OpenBSD 4.6 | Random
 OpenBSD 5.2 | Random
 OS X 10.6.7 | Global, incremental (3)
 OS X 10.8.3 | Random
 Solaris 11 | Per host, incremental
 Windows Server 2003 R2 Standard 64bit, SP2 | Global, incremental
 Windows Server 2008 Standard 32bit,  SP1 | Global, incremental
 Windows Server 2008 R2 Standard 64bit, SP1 | Global, incremental by 2
 Windows Server 2012 Standard 64bit | Per host, incremental by 2
 Windows XP Professional 32bit, SP3 | Global, incremental (4)
 Windows Vista Business 64bit, SP1 | Global, incremental
 Windows 7 Home Premium 32bit, SP1 | Global, incremental by 2
 Windows 7 Ultimate 32bit, SP1 | Global, incremental by 2
 Windows 8 Enterprise 32 bit | Per host, incremental by 2
------------------------------------------------------------------
(1) Hosts calculates wrong TCP checksum for routes with PMTU < 1280
(2) PMTU < 1280 results in DoS
(3) Does not accept PMTU < 1280
(4) IPv6 disabled by default
------------------------------------------------------------------

Cheers,
Mathias

----- Original Message -----
> From: "Fernando Gont" <fgont at si6networks.com>
> To: "IPv6 Hackers Mailing List" <ipv6hackers at lists.si6networks.com>
> Cc: "Mathias Morbitzer" <m.morbitzer at student.ru.nl>
> Sent: Sunday, 9 June, 2013 2:51:21 PM
> Subject: Re: [ipv6hackers] Nmap patch for TCP Idle Scan in IPv6
> Hi, Mathias,
> 
> Mailman stripped the attachements (it is configured to do so). Could
> you
> please post the files to some web site, and provide the corresponding
> URLs? -- I could help with that, if needed.
> 
> Thanks!
> 
> Best regards,
> Fernando
> 
> 
> 
> 
> On 06/09/2013 01:17 PM, Mathias Morbitzer wrote:
> > Hello,
> >
> > Because some people were interested, I'm forwarding here my email
> > which I submitted on the Nmap mailing list.
> >
> > In short terms, I created a patch to implement the TCP Idle Scan for
> > IPv6 in Nmap. I didn't receive much feedback for the patch so far,
> > so every feedback is more than welcome :)
> >
> > To apply the patch, do a "svn co https://svn.nmap.org/nmap" to get
> > the latest Nmap version, and then apply the patch.
> >
> > Known issues: In case there is an additional extension header to the
> > fragmentation header, it won't work. If you need another extension
> > header, let me know, and I will try to fix this.
> >
> > I also appended my results on which operating systems apply
> > incremental/random IPIDs in IPv6. Summed up, try to use a Windows
> > host (except Windows 8) as idle host ;)
> >
> >
> > Looking forward to your feedback!
> >
> >
> > Cheers,
> > Mathias
> >
> >> Hi everybody,
> >>
> >> I managed to port the TCP Idle Scan to IPv6!
> >>
> >> My masterthesis as well as a shorter paper on the details will come
> >> soon,
> >> but meanwhile let me sum up the details here:
> >>
> >> In IPv6, we don't have an IPID in the header. But, there is an
> >> extension
> >> header for fragmentation, which provides an IPID. So, all we need
> >> to do is
> >> forcing the idle host to append this extension header for
> >> fragmentation
> >> each time he is sending a packet.
> >>
> >> RFC 1981 says if an ICMPv6 Packet Too Big message is received, and
> >> an MTU
> >> smaller than the IPv6 minimum MTU is announced within, the
> >> receiving host
> >> should simply append a fragmentation header to each IPv6 packet on
> >> the path.
> >>
> >> So we can achieve the TCP Idle Scan in IPv6 by first sending a ping
> >> with a
> >> lot of data to the idle host. When the idle host replies, we tell
> >> it in an
> >> ICMPv6 packet Too Big message that the reply is to huge, we only
> >> support a
> >> maximum MTU of less than 1280 bytes, which is the IPv6 minimum MTU.
> >> From
> >> now on, all IPv6 packets being sent from the idle host to us will
> >> have an
> >> extension header for fragmentation, which contains an IPID.
> >>
> >> Now we execute the same step for the path from the idle host to the
> >> target. We spoof a ping from the target to the idle host, and after
> >> the
> >> idle host sent the answer, we send an ICMPv6 packet Too Big message
> >> that
> >> the MTU of the target is smaller than 1280 bytes, so from now on
> >> the idle
> >> host will also append the fragmentation header there.
> >>
> >> Afterwards, the TCP Idle Scan in IPv6 works the same way as in IPv4
> >> - just
> >> that the IPID is not directly in the IPv6 header, but in the
> >> extension
> >> header for fragmentation.
> >>
> >> Additional cool stuff: Compared to IPv4, the IPID is not used (and
> >> incremented) for every IPv6 packet sent, but only for those which
> >> use the
> >> extension header for fragmentation. This means that our idle host
> >> actually
> >> does not need to be idle, it just shouldn't send fragmented
> >> packages!
> >>
> >>
> >> I hope my explanation is not too short and understandable :)
> >>
> >>
> >> However, to show that it really works, I also tried to implement
> >> the scan
> >> in Nmap. To do so, I hacked idle_scan.cc, and used most of the
> >> stuff which
> >> was already there. What I had to add was the sending of the pings
> >> and the
> >> ICMPv6 packet too big messages for the initialization, and I
> >> changed the
> >> parts where the IPID is accessed, so that it works for IPv4 and
> >> IPv6.
> >>
> >> The usage is the same as using the scan in IPv4: -sI
> >> <idlehost:probeport>
> >> for the idlescan, plus add the -6 switch for IPv6.
> >>
> >> I tested my patch with Windows 7 Ultimate, and Linux 3.8 (but there
> >> is
> >> does not work, the IPIDs are on a per-host-base).
> >>
> >> The patch is not perfect yet. There are still some things which
> >> need to be
> >> improved, but I wanted to get a first feedback to know if i can
> >> continue
> >> working on it this way. Also, my C/C++ knowledge is not the best,
> >> so let me
> >> know if I made bigger mistakes.
> >>
> >>
> >> Cheers,
> >> Mathias
> >>
> >>
> >> _______________________________________________
> >> Ipv6hackers mailing list
> >> Ipv6hackers at lists.si6networks.com
> >> http://lists.si6networks.com/listinfo/ipv6hackers
> 
> 
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont at si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list