|
1 | 1 | ## Vulnerable Application |
2 | 2 |
|
3 | | - This `auxiliary/scanner/ip/ipidseq` module will probe hosts' IPID sequences and classify them |
4 | | - using the same method Nmap uses when it's performing its IPID Idle Scan (-sI) and OS Detection (-O). |
| 3 | +This `auxiliary/scanner/ip/ipidseq` module will probe hosts' IPID sequences and classify them |
| 4 | +using the same method Nmap uses when it's performing its IPID Idle Scan (-sI) and OS Detection (-O). |
5 | 5 |
|
6 | | - The module should only be used in internal networks. |
| 6 | +The module should only be used in internal networks. Additionally, administrative/root permissions |
| 7 | +are required to successfully capture on the device/interface. |
7 | 8 |
|
8 | | - Possible methods of IPID generation: |
9 | | - 1. Unknown |
10 | | - 2. Randomized |
11 | | - 3. All zeros |
12 | | - 4. Random positive increments |
13 | | - 5. Constant |
14 | | - 6. Broken little-endian incremental! |
15 | | - 7. Incremental! |
| 9 | +Possible methods of IPID generation: |
16 | 10 |
|
17 | | - The module should only be used in internal networks. |
| 11 | +1. Unknown |
| 12 | +2. Randomized |
| 13 | +3. All zeros |
| 14 | +4. Random positive increments |
| 15 | +5. Constant |
| 16 | +6. Broken little-endian incremental |
| 17 | +7. Incremental |
18 | 18 |
|
19 | | - ### Nmap Idle Scan |
| 19 | +### Nmap Idle Scan |
20 | 20 |
|
21 | | - Nmap's probes are SYN/ACKs while this module's are SYNs. |
22 | | - While this does not change the underlying functionality, |
23 | | - it does change the chance of whether or not the probe will be stopped by a firewall. |
| 21 | +Nmap's probes are SYN/ACKs while this module's are SYNs. |
| 22 | +While this does not change the underlying functionality, |
| 23 | +it does change the chance of whether or not the probe will be stopped by a firewall. |
24 | 24 |
|
25 | | - Nmap's Idle Scan can use hosts whose IPID sequences are classified as "Incremental" or "Broken little-endian incremental". |
| 25 | +Nmap's Idle Scan can use hosts whose IPID sequences are classified as "Incremental" or "Broken little-endian incremental". |
26 | 26 |
|
27 | | - More information: https://nmap.org/book/idlescan.html |
| 27 | +More information: https://nmap.org/book/idlescan.html |
28 | 28 |
|
29 | 29 | ## Verification Steps |
30 | 30 |
|
31 | | - 1. Start msfconsole |
32 | | - 1. Do: `use auxiliary/scanner/ip/ipidseq` |
33 | | - 1. Do: `set RHOSTS [ip]` |
34 | | - 1. Do: `run` or `exploit` |
| 31 | +1. Start msfconsole |
| 32 | +1. Do: `use auxiliary/scanner/ip/ipidseq` |
| 33 | +1. Do: `set RHOSTS [ip]` |
| 34 | +1. Do: `run` |
35 | 35 |
|
36 | 36 | ## Options |
37 | 37 |
|
38 | | - ### SNAPLEN |
39 | | - The number of bytes to capture |
| 38 | +### SNAPLEN |
| 39 | +The number of bytes to capture. Defaults to `65535`. |
40 | 40 |
|
41 | | - ### GATEWAY_PROBE_HOST |
42 | | - Send a TTL=1 random UDP datagram to this host to discover the default gateway's MAC |
| 41 | +### GATEWAY_PROBE_HOST |
| 42 | +Send a TTL=1 random UDP datagram to this host to discover the default gateway's MAC. Defaults to `8.8.8.8`. |
43 | 43 |
|
44 | | - ### SAMPLES |
45 | | - The IPID sample size. Must be greater than 2. |
46 | | - |
47 | | - ### SECRET |
48 | | - A 32-bit cookie for probe requests. |
| 44 | +### SAMPLES |
| 45 | +The IPID sample size. Must be greater than `2`. Defaults to `6`. |
49 | 46 |
|
| 47 | +### SECRET |
| 48 | +A 32-bit cookie for probe requests. Defaults to `1297303073`. |
50 | 49 |
|
51 | 50 | ## Scenarios |
52 | 51 |
|
53 | | - ### Example Incremental |
| 52 | +### Example Incremental |
54 | 53 |
|
55 | 54 | ``` |
56 | 55 | msf6 auxiliary(scanner/ip/ipidseq) > set RHOSTS 10.0.20.254 |
|
0 commit comments