naabu
naabu copied to clipboard
projectdiscovery
Fixing source ip
Closes #990
Todos:
- [x] Latest Linux kernel seems to override/rewrite TCP/UDP headers if custom options are used (ex. custom ip)
- [x] In case custom ip and interface are specified naabu should go one level down to L2 and bypass the kernel (Info to infer: souce MAC, destination MAC, Gateway IP)
Example
Add secondary address:
$ ip address add 30.0.0.1/32 dev eth0
Nmap:
# nmap -p 80 -S 30.0.0.1 188.42.216.83 -Pn -e eth0
...
# tcpdump -n host 188.42.216.83
10:46:06.351401 IP 30.0.0.1.54407 > 188.42.216.83.80: Flags [S], seq 1184607835, win 1024, options [mss 1460], length 0
10:46:07.352534 IP 30.0.0.1.54409 > 188.42.216.83.80: Flags [S], seq 1184476761, win 1024, options [mss 1460], length 0
Naabu
# ./naabu -host 188.42.216.83 -source-ip 30.0.0.1 -i eth0 -port 80 -debug -Pn
...
# tcpdump -n host 188.42.216.83
10:50:39.161762 IP 30.0.0.1.35757 > 188.42.216.83.80: Flags [S], seq 0, win 1024, options [mss 1460], length 0
10:50:39.161797 IP 30.0.0.1.35757 > 188.42.216.83.80: Flags [S], seq 1, win 1024, options [mss 1460], length 0
10:50:39.161806 IP 30.0.0.1.35757 > 188.42.216.83.80: Flags [S], seq 2, win 1024, options [mss 1460], length 0
nmap:
$ nmap -p 80 -S 30.0.0.1 188.42.216.83 -Pn -e en0
...
$ tcpdump -n host 188.42.216.83
15:43:01.301878 IP 30.0.0.1.53957 > 188.42.216.83.80: Flags [S], seq 1524061434, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 396366718 ecr 0,sackOK,eol], length 0
15:43:02.302677 IP 30.0.0.1.53957 > 188.42.216.83.80: Flags [S], seq 1524061434, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 396367719 ecr 0,sackOK,eol], length 0
naabu:
$ go run .-host 188.42.216.83 -source-ip 30.0.0.1 -i en0 -port 80 -debug -Pn
...
$ tcpdump -n host 188.42.216.83
15:48:50.496326 IP 192.168.50.13.54057 > 188.42.216.83.80: Flags [S], seq 1500303991, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 2096519124 ecr 0,sackOK,eol], length 0
15:48:50.564183 IP 188.42.216.83.80 > 192.168.50.13.54057: Flags [S.], seq 71956256, ack 1500303992, win 65160, options [mss 1452,sackOK,TS val 4076747498 ecr 2096519124,nop,wscale 7], length 0
tested on Mac.
@Mzack9999 I still get the same result -testing on Mac, following exactly the same steps.
cross-posting linux repro steps:
$ docker run -it --cap-add=NET_ADMIN ubuntu:23.10 bash
# apt update
# apt install apt install golang build-essential git wget curl zip unzip net-tools iproute2 tcpdump libpcap-dev
# ip address add 30.0.0.1/32 dev eth0
# git clone https://github.com/projectdiscovery/naabu.git
# cd naabu/v2/cmd/naabu/
# git checkout bufgix-990-source-ip
# go build .
# ./naabu -host 188.42.216.83 -source-ip 30.0.0.1 -i eth0 -port 80 -debug -Pn
With another session in the same docker container;
$ docker ps
ubuntu xxx ...
$ docker exec -it xxx bash
# tcpdump -n host 188.42.216.83
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
06:34:08.276865 IP 30.0.0.1.40955 > 188.42.216.83.80: Flags [S], seq 0, win 1024, options [mss 1460], length 0
06:34:08.277043 IP 30.0.0.1.40955 > 188.42.216.83.80: Flags [S], seq 1, win 1024, options [mss 1460], length 0
06:34:08.277097 IP 30.0.0.1.40955 > 188.42.216.83.80: Flags [S], seq 2, win 1024, options [mss 1460], length 0
Yes, it works for linux - maybe we should add a small note that says it may not work for osx.