Skip to content

Probe-modules: IPIP#684

Merged
phillip-stephens merged 11 commits intozmap:mainfrom
yannayl:ipip
Mar 5, 2024
Merged

Probe-modules: IPIP#684
phillip-stephens merged 11 commits intozmap:mainfrom
yannayl:ipip

Conversation

@yannayl
Copy link
Contributor

@yannayl yannayl commented Feb 19, 2022

Add a probe module to scan for hosts with IPIP protocol (4) supported.

These hosts may be used for IP spoofing, NAT traversal or just lengthening the path which an IP traverses along the network.

Usage example:
zmap --target-port=53 --probe-module=ipip -i eth0.2

For uses see: PoC||GTFO 0x21:3
This issue was responsibly disclosed two years ago to Cert CC

yannayl and others added 4 commits February 19, 2022 18:43
@yannayl
Add ipip probe module
85ecc01
@yoava333 @yannayl
IPIP: fix validate function
ea3397d
@yannayl
ipip: fix validation failure when setting src ip
eab1103 
When packets with source ip which is not the receiving address for
replies (e.g. behin NAT) validation data was computed with the actual
receiving address on receive. However, on send it is computed with the
sending address. This discrepancy made valid packets fail validation.

This commit fixes the discrepancy by trying every possible sender IP
when validating a packet.
@zakird
Merge branch 'main' into ipip
19003e7
@zakird zakird self-requested a review February 11, 2024 17:23
@zakird
Copy link
Member

zakird commented Feb 11, 2024

@phillip-stephens Looked at this briefly and the probe module itself looks reasonable. Would you be willing to help fix up types/tests issues, and merge?

@phillip-stephens
Copy link
Contributor

phillip-stephens commented Mar 5, 2024

Validated that after fixing up merge conflicts from the past 2 years of changes, the scanning behavior was not changed.
Specifically, ran sudo ./src/zmap -p 53 --probe-module=ipip -i enp0s8 -B 100M -c 2 1.1.1.1/13 on commit 0285d19 and eab1103 and the hit hosts were identical (3 found hosts). The scan did not return anything when run locally on my MacBook, but when run on an Ubuntu VM in the lab, it did. I'm chocking this up to something strange with my Mac's networking (valid?).

Let me just validate the packets generated look fine in Wireshark and then I'm good to merge.

@phillip-stephens
Copy link
Contributor

phillip-stephens commented Mar 5, 2024

Looks fine to me, I'm not entirely sure what the purpose of the random HTTP GET is in the UDP payload, but the IPIP stuff looks reasonable. Merging!

@phillip-stephens phillip-stephens merged commit f0ba1ad into zmap:main Mar 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zakird zakird Awaiting requested review from zakird

Assignees

@phillip-stephens phillip-stephens

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@yannayl @zakird @phillip-stephens @yoava333