63 lines
1.7 KiB
Markdown
63 lines
1.7 KiB
Markdown
## Vulnerable Application
|
|
|
|
This `auxiliary/scanner/ip/ipidseq` module will probe hosts' IPID sequences and classify them
|
|
using the same method Nmap uses when it's performing its IPID Idle Scan (-sI) and OS Detection (-O).
|
|
|
|
The module should only be used in internal networks. Additionally, administrative/root permissions
|
|
are required to successfully capture on the device/interface.
|
|
|
|
Possible methods of IPID generation:
|
|
|
|
1. Unknown
|
|
2. Randomized
|
|
3. All zeros
|
|
4. Random positive increments
|
|
5. Constant
|
|
6. Broken little-endian incremental
|
|
7. Incremental
|
|
|
|
### Nmap Idle Scan
|
|
|
|
Nmap's probes are SYN/ACKs while this module's are SYNs.
|
|
While this does not change the underlying functionality,
|
|
it does change the chance of whether or not the probe will be stopped by a firewall.
|
|
|
|
Nmap's Idle Scan can use hosts whose IPID sequences are classified as "Incremental" or "Broken little-endian incremental".
|
|
|
|
More information: https://nmap.org/book/idlescan.html
|
|
|
|
## Verification Steps
|
|
|
|
1. Start msfconsole
|
|
1. Do: `use auxiliary/scanner/ip/ipidseq`
|
|
1. Do: `set RHOSTS [ip]`
|
|
1. Do: `run`
|
|
|
|
## Options
|
|
|
|
### SNAPLEN
|
|
The number of bytes to capture. Defaults to `65535`.
|
|
|
|
### GATEWAY_PROBE_HOST
|
|
Send a TTL=1 random UDP datagram to this host to discover the default gateway's MAC. Defaults to `8.8.8.8`.
|
|
|
|
### SAMPLES
|
|
The IPID sample size. Must be greater than `2`. Defaults to `6`.
|
|
|
|
### SECRET
|
|
A 32-bit cookie for probe requests. Defaults to `1297303073`.
|
|
|
|
## Scenarios
|
|
|
|
### Example Incremental
|
|
|
|
```
|
|
msf6 auxiliary(scanner/ip/ipidseq) > set RHOSTS 10.0.20.254
|
|
RHOSTS => 10.0.20.254
|
|
msf6 auxiliary(scanner/ip/ipidseq) > exploit
|
|
|
|
[*] 10.0.20.254's IPID sequence class: Incremental!
|
|
[*] Scanned 1 of 1 hosts (100% complete)
|
|
[*] Auxiliary module execution completed
|
|
```
|