nmap operation - packet fragmentation is difficult to spot

[ThePistonDoctor]

Hi all,

I'm hoping that though this isn't directly related to BackTrack, someone here will still be interested in helping since it's closely related to one of the most useful tools in BackTrack (nmap).

I have a virtual network set up here with a few Windows XP boxes and a BT4R2 box. Internet communication on all is disabled but they are able to talk to each other via VirtualBox's internal networking features. I ran an nmap scan from BT4 against one of my XP boxes and was hoping to see the difference between a standard -A scan and a scan utilizing the -f switch (fragment packets).

So I enabled net access on one of my XP boxes and quickly downloaded Wireshark to watch the traffic as I scanned, got it installed and then went back to just the internal network again. Now with Wireshark running on XP I run my nmap scan on BT4:

Code:

nmap -A 192.168.50.2

and see the results as expected. In BT I see the OS version, a few open ports, etc. Then I investigate in Wireshark and see the typical SYN scan. Since port 445 was listening I filtered the Wireshark scan using

Code:

tcp.dstport==445

and followed the TCP stream from the first SYN so I could see just that interaction. Of course I see a SYN, then the SYN, ACK back from the XP host, and the immediate RST from BT4 to tear down the connection just like I expected.

Ok great - so that's with just the -A option. Now I want to see what the capture looks like when I fragment the packets from nmap (which would be a typical basic firewall evasion technique). So I save the capture file to look at later and start a new one to capture the following nmap scan:

Code:

nmap -A -f 192.168.50.2

Again I filter for only port 445 because I know it is listening. This time I see three SYN packets from nmap, with a SYN, ACK after the first SYN, then a DUP, ACK after each consecutive SYN from nmap, then three RST packets to tear down the connection again. This is exactly what I expected to see - the SYN packet to establish the half-open connection was broken into three fragments.

However, after saving the capture file and looking at the two side by side, I can't seem to see any difference at all in the actual data. I expected that the fragmented packets would have smaller total lengths, or would have the "more fragments" flag set, or something different about the headers. I have looked over every field in the data and can't see any difference at all.

So my question is what exactly does nmap do when you set the -f switch? How can I see the difference in the packets in my wireshark captures, or is the only indication that the packets were fragmented the presence of the DUP, ACK packets from the target? If you set -f with no MTU argument, does it simply send three "full-sized" SYN packets instead of one? If so that doesn't make any sense because that would be even easier to detect than a simple single-packet SYN scan. I'm into the nitty gritty of nmap and Wireshark here, so I figured it would be good information to have on this forum in case people want to better understand exactly what they're doing when they run an nmap scan.

If you have any useful info, please provide it!

Thanks!

[ThePistonDoctor]

Anyone? Maybe this is in the wrong place. Mods feel free to move it to a better area of the forum or close the thread if you think it is too far off from BT use.

In the mean time I am still curious about this as it seems like nmap isn't really doing anything special when you fragment the packets.

[VulcanX]

As far as I know the -f is used to avoid IDS/IPS's as they check for scans like that. And I highly doubt that someone will be running Wireshark just for fun.

If the IPS/IDS detects a whole bunch of RST packets right after SYN/ACK then its a prob. Hence theres the sS sT sU etc to used combined with the -f. You can also try run a "-t x" to slow the scan down and not raise as many flags.

I know Im not answering your question directly here and not 100% sure on the packet delivery. I will mess around a bit later and see what i can come up with too. Very interesting though, will watch the topic closely

[sagarbelure]

Hi,

I'm not so sure about it.
But, aligning with nmap help

FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)

Aren't you supposed to supply the value with it?
And if not supplied, thats would be standard MTU.

[ThePistonDoctor]

Yeah I found it strange. You're right, the point of the -f switch is to avoid IDS/IPS but the theory behind it is that if you fragment the packets the IDS/IPS sees fragments and passes them through without reassembly and then they are reassembled on the other side by the TCP/IP stack (I think). I thought that because of this, I would see a difference in packet size on the fragments. Also, regarding the reset packets, note that there should not have been three reset packets sent, there should have been three FRAGMENTS of a single reset packet sent through to be reassembled on the other side of the IDS/IPS

Again though none of the reset packets had the More Fragments flag set which I found to be a little odd.

If the -f switch doesn't properly fragment packets, there's a possibility that the tool could be improved and be more successful at bypassing IDS/IPS/firewalls by correcting this operation.

[VulcanX]

Some of the IPS/IDS's reassemble the packets even if they are fragmented.
I know it doesnt benefit you at all in this situation but just thought I would share

[ThePistonDoctor]

Lol no problem. This is really a wireshark question anyway - I am no expert in wireshark so I am probably missing where the difference lies. I will report back here if I find a difference down the road!