¿El escaneo nmap mtu realmente envía un tamaño mtu diseñado?

0

Dado que nmap es una herramientas de seguridad muy conocida, creo que esta es la sección correcta.

He estado leyendo sobre técnicas de nmap aquí como parte de mi programa de seguridad de red. ..

He realizado 2 exploraciones ... una al puerto 1337 que está cerrado mientras que el otro puerto 4444 está abierto.

Cuando intento escanear nmap mtu y capturar el paquete con Wireshark, no veo el tamaño mtu (32) que configuré en nmap.

user@linux:~$ sudo nmap --mtu 32 192.168.10.12 -p 1337

Nmap scan report for 192.168.10.12
Host is up (0.0023s latency).
PORT     STATE  SERVICE
1337/tcp closed waste
MAC Address: AA:AA:AA:AA:AA:12 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 13.13 seconds
user@linux:~$ 

El único valor que veo es Total Length: 44

  1. ¿Alguna idea de por qué no vi el tamaño de mtu 32 en Wireshark?

  2. ¿Es este el lugar adecuado para verificar el tamaño de mtu en Wireshark (IPv4 > Longitud total)?

    
pregunta Sabrina 10.04.2018 - 08:57
fuente

1 respuesta

1

Si su idea es fragmentar los paquetes, creo que necesita usar el parámetro -f según su ayuda

       -f (fragment packets); --mtu (using the specified MTU) .
       The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to
       make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing. Be careful with this! Some programs have
       trouble handling these tiny packets. The old-school sniffer named Sniffit segmentation faulted immediately upon receiving the first fragment. Specify this option
       once, and Nmap splits the packets into eight bytes or less after the IP header. So a 20-byte TCP header would be split into three packets. Two with eight bytes of
       the TCP header, and one with the final four. Of course each fragment also has an IP header. Specify -f again to use 16 bytes per fragment (reducing the number of
       fragments)..  Or you can specify your own offset size with the --mtu option. Don't also specify -f if you use --mtu. The offset must be a multiple of eight. While
       fragmented packets won't get by packet filters and firewalls that queue all IP fragments, such as the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel, some
       networks can't afford the performance hit this causes and thus leave it disabled. Others can't enable this because fragments may take different routes into their
       networks. Some source systems defragment outgoing packets in the kernel. Linux with the iptables.  connection tracking module is one such example. Do a scan while
       a sniffer such as Wireshark.  is running to ensure that sent packets are fragmented. If your host OS is causing problems, try the --send-eth.  option to bypass
       the IP layer and send raw ethernet frames.

       Fragmentation is only supported for Nmap's raw packet features, which includes TCP and UDP port scans (except connect scan and FTP bounce scan) and OS detection.
       Features such as version detection and the Nmap Scripting Engine generally don't support fragmentation because they rely on your host's TCP stack to communicate
       with target services.

Por otro lado, es muy útil para cargar el archivo pcap, observa que pones un filtro que puede ocultar los paquetes fragmentados

    
respondido por el camp0 10.04.2018 - 09:28
fuente

Lea otras preguntas en las etiquetas