Re: [PEN-TEST] IP fragmentation attack

[Tom Vandepoel <Tom.Vandepoel () UBIZEN COM>]

Cold Fire wrote:

> ap has a '-f' option that seems subject to a lot of caveats. It's
> > rumored to work on linux, and I've found one specific patch to nmap to
> > exploit this in an older vulnerability in ipchains (or was it ipfwadm?).
>
> Fragrouter has various options built in to exploit older holes such as
> the ipchains hole, I would suggest setting up fragrouter on a second
> host between your attack-host and target your attack via that host, using
> all of the fragrouter attacks, for example even just running ISS
> or CyberCop at a host via fragrouter you will see 'interesting'
> Data passing through most commercil firewalls. If you do not understand
> this, i suggest reading more carefully the docs on:
> http://www.monkey.org/~dugsong/

I understand what fragrouter does, no problem, but I'd like to hear
about practical experience with this. Which mode works best for what,
what are the effects of a particular OS stack used as the fragrouter,
stuff like that...
There seem to be a lot of caveats when you're doing frag work. It's fine
to play with this in a controlled lab environment, but what does it gain
you in the real world, eg. is someone here that can state: 'IOS acl's,
yes: I can punch through those time any time, no prob.'. And I don't
mean exploiting the stateless filtering. We all know that to allow
outgoing ftp with that type of filtering, you have to allow incoming tcp
to port >1023, I'm not talking about that: I'm talking sending packets
past the filter that were not meant to be sent past...


Tom.

--
_________________________________________________

Tom Vandepoel
Sr. Network Security Engineer

www.ubizen.com
tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00
Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium
_________________________________________________

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature