Master's Thesis TCP Idle Scans in IPv6

Port scans are done by an attacker to discover which services are o ered by systems on a network and could be attacked. There are various approaches for port scanning, all providing advantages and disadvantages. One of those approaches is the TCP Idle Scan, in which the attacker spoofs messages of a third computer in order to remain undetected. To see the results of the scan, he utilizes the IPID in the IPv4 header. With the slowly approaching upgrade of IPv4 with IPv6, one will not be able anymore to conduct the TCP Idle Scan as previously, as the IPID is not included statically in the IPv6 header, but only when fragmentation is needed. Therefore, this thesis started with an investigation whether the TCP Idle Scan is still feasible in IPv6. The investigation illustrated that an attacker can use ICMPv6 Echo Request messages with large amounts of data as well as ICMPv6 Packet Too Big messages specifying a MTU smaller than the IPv6 minimum MTU. This way, the idle host can be forced to use the IPv6 extension header for fragmentation, which contains an identi cation value which is comparable to the IPID in IPv4, in each IPv6 packet sent to a speci c host. Applying this method, the TCP Idle Scan is feasible in IPv6. After establishing how to conduct the TCP Idle Scan in IPv6, 21 di erent operating systems and versions have been analyzed regarding their properties as idle hosts. Among those, all nine tested Windows operating systems were suitable. This shows that the mistake to use predictable IPIDs in IPv4 is being repeated in IPv6. Also two alternatives to the TCP Idle Scan in IPv4 as well as in IPv6, which do not rely on predictable assignment of the IPID or identi cation values have been analyzed. The rst one is the RST Rate Limit Scan, which utilizes the fact that some idle hosts only allow a certain amount of TCP segments with the RSTag per second. Another alternative is the SYN Cache Scan, which makes use of the limited amount of half-open TCP connections an idle host is able to store. Additionally, with the second alternative, it might also be possible for an attacker to scan through a rewall into the internal network. To show that the presented port scanning methods can also be used in practice, a proof of concept has been created for each scan. Additionally, a patch for the security scanner Nmap was created, which already provided a very elaborated version of the TCP Idle Scan in IPv4. This patch enables the scanner to execute the TCP Idle Scan in IPv6. Compared to the TCP Idle Scan in IPv4, the created implementation decreased in performance by less than 1% while at the same time having less requirements to the idle host.