|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +This ```auxiliary/scanner/ip/ipidseq``` module will probe hosts' IPID sequences and classify them using the same method Nmap uses when it's performing its IPID Idle Scan (-sI) and OS Detection (-O). |
| 4 | + |
| 5 | +More information: https://nmap.org/book/idlescan.html |
| 6 | + |
| 7 | +Nmap's probes are SYN/ACKs while this module's are SYNs. |
| 8 | +While this does not change the underlying functionality, it does change the chance of whether or not the probe will be stopped by a firewall. |
| 9 | + |
| 10 | +Nmap's Idle Scan can use hosts whose IPID sequences are classified as "Incremental" or "Broken little-endian incremental". |
| 11 | + |
| 12 | +## Verification Steps |
| 13 | + |
| 14 | +1. Start msfconsole |
| 15 | +1. Do: `use auxiliary/scanner/ip/ipidseq` |
| 16 | +1. Do: `set RHOSTS [ip]` |
| 17 | +1. Do: `run` or `exploit` |
| 18 | + |
| 19 | +## Options |
| 20 | + |
| 21 | +``` |
| 22 | +Basic options: |
| 23 | + Name Current Setting Required Description |
| 24 | + ---- --------------- -------- ----------- |
| 25 | + INTERFACE no The name of the interface |
| 26 | + RHOSTS 10.0.20.254 yes The target host(s) |
| 27 | + RPORT 80 yes The target port |
| 28 | + SNAPLEN 65535 yes The number of bytes to capture |
| 29 | + THREADS 1 yes The number of concurrent threads (max one per host) |
| 30 | + TIMEOUT 500 yes The reply read timeout in milliseconds |
| 31 | +``` |
| 32 | + |
| 33 | +### Advanced Options |
| 34 | +``` |
| 35 | + Name Current Setting Required Description |
| 36 | + ---- --------------- -------- ----------- |
| 37 | + GATEWAY_PROBE_HOST 8.8.8.8 yes Send a TTL=1 random UDP datagram to this host to discover the default gateway's MAC |
| 38 | + GATEWAY_PROBE_PORT no The port on GATEWAY_PROBE_HOST to send a random UDP probe to (random if 0 or unset) |
| 39 | + SAMPLES 6 yes The IPID sample size |
| 40 | + SECRET 1297303073 yes A 32-bit cookie for probe requests. |
| 41 | + ShowProgress true yes Display progress messages during a scan |
| 42 | + ShowProgressPercent 10 yes The interval in percent that progress should be shown |
| 43 | + VERBOSE false no Enable detailed status messages |
| 44 | + WORKSPACE no Specify the workspace for this module |
| 45 | +
|
| 46 | +``` |
| 47 | + |
| 48 | +Required Options: |
| 49 | +1. RHOSTS |
| 50 | + |
| 51 | + |
| 52 | +## Scenarios |
| 53 | +Possible output: |
| 54 | +1. Unknown |
| 55 | +2. Randomized |
| 56 | +3. All zeros |
| 57 | +4. Random positive increments |
| 58 | +5. Constant |
| 59 | +6. Broken little-endian incremental! |
| 60 | +7. Incremental! |
| 61 | + |
| 62 | + |
| 63 | +### Example Incremental |
| 64 | + |
| 65 | +``` |
| 66 | +msf6 auxiliary(scanner/ip/ipidseq) > set RHOSTS 10.0.20.254 |
| 67 | +RHOSTS => 10.0.20.254 |
| 68 | +msf6 auxiliary(scanner/ip/ipidseq) > exploit |
| 69 | +
|
| 70 | +[*] 10.0.20.254's IPID sequence class: Incremental! |
| 71 | +[*] Scanned 1 of 1 hosts (100% complete) |
| 72 | +[*] Auxiliary module execution completed |
| 73 | +``` |
| 74 | + |
| 75 | +### Example Host down |
| 76 | + |
| 77 | +``` |
| 78 | +msf6 auxiliary(scanner/ip/ipidseq) > run |
| 79 | +
|
| 80 | +[*] Scanned 1 of 1 hosts (100% complete) |
| 81 | +[*] Auxiliary module execution completed |
| 82 | +``` |
| 83 | + |
| 84 | +### Example Range scanning |
| 85 | + |
| 86 | +``` |
| 87 | +msf6 auxiliary(scanner/ip/ipidseq) > set RHOSTS 10.0.20.0-10.0.20.254 |
| 88 | +RHOSTS => 10.0.20.0-10.0.20.254 |
| 89 | +msf6 auxiliary(scanner/ip/ipidseq) > run |
| 90 | +
|
| 91 | +[*] Scanned 26 of 255 hosts (10% complete) |
| 92 | +[*] 10.0.20.30's IPID sequence class: Incremental! |
| 93 | +[*] Scanned 51 of 255 hosts (20% complete) |
| 94 | +``` |
0 commit comments