August 12th, 2004, 08:37 PM
I have been reading a lot on various protocols and how TCP/IP works and this is pretty much all I can gather on IP fragmentation. I know it can can be used in most cases to map a network and to find out the ACL that the networks's filtering device is using.
This kind of information can be found out by scanning with both TCP and UDP packets on all ports in a network range and will give you an idea of which ports on a host are alive and/or open. If no reply is recieved then it is a pretty good assumption that a filtering device either blocks the protocol used, the port we probed for is blocked, or it blocks ICMP Fragment Reassembly Time exceeded error messages.
When scanning with IP fragmentation the UDP protocol seems to work the best because in most situations the first packet can be sent unfragmented. The first datagram is sent went enough information in it so that it is checked against the firewalls rule base. The rest of the packet is never sent. This is so that the probed computer will illicit an ICMP Fragment Assembly time exceeded error message if the port is open and if it is closed then it will send an ICMP port unreachable packet. The cool thing about this is you can tell when the probed computer filters certain thing becuase there will be no reply at all from the blocked port or protocol.
Using the TCP protocol in this type of scanning may not work as often on some systems because they specify that the first packet sent must be unfragmented. If it does succeed then an ICMP Fragment Assembly time exceeded error message will be sent if the port is open and a TCP RST packet will be sent if the port is closed. Once again if the if the packets are filtered then no reply at all will be sent.
If anyone can add anything else that I left out or if something is wrong please do, I am really interested in how all of this scanning stuff works.
August 12th, 2004, 09:16 PM
Er, you're confusing me with the fragmented packet where the first packet doesn't need to be fragmented.......
When scanning with IP fragmentation the UDP protocol seems to work the best because in most situations the first packet can be sent unfragmented.
Packets are fragmented for the case where an intermediate router may have a smaller MTU (Maximum Transmission Unit), then normal. That router is able to fragment the packet recieved, mark each fragment as "fragmented, and forward the smaller datagrams to the next router. (The router can only do this if the "do not fragment" bit is not set in the received packets).
Thus, if you aren't fragmenting the "first packet" then you are sending an entire packet so you should never receive the ICMP fragment reassembly time out response because it would not be appropriate.
I'm leaving work now so I'll take a look into this from my satellite office and see if we can't come up with something.....
Ok, a fragmented packet must contain the DF flag, (don't fragment), set to 0 and the MF Flag, (more fragments), set to 1. Are you saying that you are sending a packet with the DF = 1 and the MF = 1? That's the only way I can see that you would be sending the "first fragment" "unfragmented".... Though I am having difficulty finding the RFC reference to the appropriate response to such a malformed packet.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
August 13th, 2004, 02:54 AM
I confused myself with this one. Sorry Tiger. I am pretty much looking for a clarification on this because it seems so blasted complicated. Any suggestions besides ping, nmap, and sing to try this kind of stuff out? Is there anything out there that will let me craft my own kind of udp or tcp packet? It is really interesting, I am just having a little bit of a hard time with ip fragmentation and understanding how it works.