Date: Thu, 17 Dec 1998 07:15:56 +1100 (EDT) From: Darren Reed <avalon@coombs.anu.edu.au> To: fygrave@tigerteam.net (CyberPsychotic) Cc: jkb@best.com, robert+freebsd@cyrus.watson.org, freebsd-security@FreeBSD.ORG Subject: Re: Detecting remote host type and so on.. Message-ID: <199812162015.HAA25754@cheops.anu.edu.au> In-Reply-To: <Pine.LNX.4.05.9812161826060.392-100000@gizmo.kyrnet.kg> from "CyberPsychotic" at Dec 16, 98 06:38:19 pm
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from CyberPsychotic, sie said:
[...]
> This is linux implementation, but I guess it could be ported to BSD's bpf
> instead of RAW_SOCK platform as well. I also had an idea, that you could
> defeat various OS probes using the same toy by spoofing various OS
> dependent responces and thus confuse such toys as nmap or queso.
If everyone fixed theirs up, it would also be much harder.
Whilst looking at the NetBSD ICMP code, I noticed some fields don't get
converted back into network byte order for ICMP replies. You may want
to try the patch below (with some finger work required) to fix this
problem.
Darren
*** ip_icmp.c.orig Sun Dec 6 17:04:21 1998
--- ip_icmp.c Sun Dec 6 17:46:24 1998
***************
*** 159,165 ****
m = m_gethdr(M_DONTWAIT, MT_HEADER);
if (m == NULL)
goto freeit;
! icmplen = oiplen + min(8, oip->ip_len);
m->m_len = icmplen + ICMP_MINLEN;
MH_ALIGN(m, m->m_len);
icp = mtod(m, struct icmp *);
--- 159,165 ----
m = m_gethdr(M_DONTWAIT, MT_HEADER);
if (m == NULL)
goto freeit;
! icmplen = oiplen + min(8, oip->ip_len - oiplen);
m->m_len = icmplen + ICMP_MINLEN;
MH_ALIGN(m, m->m_len);
icp = mtod(m, struct icmp *);
***************
*** 183,188 ****
--- 183,191 ----
icp->icmp_nextmtu = htons(destifp->if_mtu);
}
+ HTONS(oip->ip_id);
+ HTONS(oip->ip_off);
+ HTONS(oip->ip_len);
icp->icmp_code = code;
bcopy((caddr_t)oip, (caddr_t)&icp->icmp_ip, icmplen);
nip = &icp->icmp_ip;
*** ip_input.c.orig Sun Aug 9 21:11:14 1998
--- ip_input.c Sun Dec 6 17:26:31 1998
***************
*** 1139,1145 ****
m_freem(m);
return;
}
- HTONS(ip->ip_id);
if (ip->ip_ttl <= IPTTLDEC) {
icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, dest, 0);
return;
--- 1139,1144 ----
***************
*** 1186,1201 ****
if (rt->rt_ifa &&
(ip->ip_src.s_addr & ifatoia(rt->rt_ifa)->ia_subnetmask) ==
ifatoia(rt->rt_ifa)->ia_subnet) {
! if (rt->rt_flags & RTF_GATEWAY)
! dest = satosin(rt->rt_gateway)->sin_addr.s_addr;
! else
! dest = ip->ip_dst.s_addr;
! /* Router requirements says to only send host redirects */
! type = ICMP_REDIRECT;
! code = ICMP_REDIRECT_HOST;
#ifdef DIAGNOSTIC
! if (ipprintfs)
! printf("redirect (%d) to %x\n", code, (u_int32_t)dest);
#endif
}
}
--- 1185,1201 ----
if (rt->rt_ifa &&
(ip->ip_src.s_addr & ifatoia(rt->rt_ifa)->ia_subnetmask) ==
ifatoia(rt->rt_ifa)->ia_subnet) {
! if (rt->rt_flags & RTF_GATEWAY)
! dest = satosin(rt->rt_gateway)->sin_addr.s_addr;
! else
! dest = ip->ip_dst.s_addr;
! /* Router requirements says only send host redirects */
! type = ICMP_REDIRECT;
! code = ICMP_REDIRECT_HOST;
#ifdef DIAGNOSTIC
! if (ipprintfs)
! printf("redirect (%d) to %x\n", code,
! (u_int32_t)dest);
#endif
}
}
*** ip_output.c.orig Sun Aug 9 21:11:14 1998
--- ip_output.c Sun Dec 6 17:26:11 1998
***************
*** 172,177 ****
--- 172,178 ----
ipstat.ips_localout++;
} else {
hlen = ip->ip_hl << 2;
+ HTONS(ip->ip_id);
}
/*
* Route packet.
***************
*** 368,375 ****
* If small enough for mtu of path, can just send directly.
*/
if ((u_int16_t)ip->ip_len <= mtu) {
! ip->ip_len = htons((u_int16_t)ip->ip_len);
! ip->ip_off = htons((u_int16_t)ip->ip_off);
ip->ip_sum = 0;
ip->ip_sum = in_cksum(m, hlen);
error = (*ifp->if_output)(ifp, m, sintosa(dst), ro->ro_rt);
--- 369,376 ----
* If small enough for mtu of path, can just send directly.
*/
if ((u_int16_t)ip->ip_len <= mtu) {
! HTONS(ip->ip_len);
! HTONS(ip->ip_off);
ip->ip_sum = 0;
ip->ip_sum = in_cksum(m, hlen);
error = (*ifp->if_output)(ifp, m, sintosa(dst), ro->ro_rt);
***************
*** 437,443 ****
}
m->m_pkthdr.len = mhlen + len;
m->m_pkthdr.rcvif = (struct ifnet *)0;
! mhip->ip_off = htons((u_int16_t)mhip->ip_off);
mhip->ip_sum = 0;
mhip->ip_sum = in_cksum(m, mhlen);
ipstat.ips_ofragments++;
--- 438,444 ----
}
m->m_pkthdr.len = mhlen + len;
m->m_pkthdr.rcvif = (struct ifnet *)0;
! HTONS(mhip->ip_off);
mhip->ip_sum = 0;
mhip->ip_sum = in_cksum(m, mhlen);
ipstat.ips_ofragments++;
***************
*** 451,457 ****
m_adj(m, hlen + firstlen - (u_int16_t)ip->ip_len);
m->m_pkthdr.len = hlen + firstlen;
ip->ip_len = htons((u_int16_t)m->m_pkthdr.len);
! ip->ip_off = htons((u_int16_t)(ip->ip_off | IP_MF));
ip->ip_sum = 0;
ip->ip_sum = in_cksum(m, hlen);
sendorfree:
--- 452,459 ----
m_adj(m, hlen + firstlen - (u_int16_t)ip->ip_len);
m->m_pkthdr.len = hlen + firstlen;
ip->ip_len = htons((u_int16_t)m->m_pkthdr.len);
! ip->ip_off |= IP_MF;
! HTONS(ip->ip_off);
ip->ip_sum = 0;
ip->ip_sum = in_cksum(m, hlen);
sendorfree:
***************
*** 1222,1229 ****
* than the interface's MTU. Can this possibly matter?
*/
ip = mtod(copym, struct ip *);
! ip->ip_len = htons((u_int16_t)ip->ip_len);
! ip->ip_off = htons((u_int16_t)ip->ip_off);
ip->ip_sum = 0;
ip->ip_sum = in_cksum(copym, ip->ip_hl << 2);
(void) looutput(ifp, copym, sintosa(dst), NULL);
--- 1224,1231 ----
* than the interface's MTU. Can this possibly matter?
*/
ip = mtod(copym, struct ip *);
! HTONS(ip->ip_len);
! HTONS(ip->ip_off);
ip->ip_sum = 0;
ip->ip_sum = in_cksum(copym, ip->ip_hl << 2);
(void) looutput(ifp, copym, sintosa(dst), NULL);
*** udp_usrreq.c.orig Wed Jan 14 01:41:37 1998
--- udp_usrreq.c Sun Dec 6 17:44:53 1998
***************
*** 303,308 ****
--- 303,309 ----
/* It was a debugger connect packet, just drop it now */
goto bad;
#endif
+ ip->ip_len += ip->ip_hl << 2;
icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0, 0);
return;
}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812162015.HAA25754>