Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Source Route/Spoofed Source

From: Evrim ULU <evrim () envy com tr>
Date: Sun, 21 Apr 2002 17:41:19 +0300
hi,

first message to pen-test =:/
i was trying to get behind my NAT but i've got some problems and people here might know the reason. 

schematic view of net is something like:
A (outsider) --- interface C of NAT ---- interface D of NAT ------ B (unroutable client) 
                                                            ------ E (another unroutable client)
i've enabled source routing via echo 1 > proc/sys/net/ipv4/conf/all/accept_source_route on both NAT machine. Client B is win98 SE so, it answers source routed packets. Btw, i've no idea where to toggle this option in the registry. 

Some useful info about NAT machine:

[root@evrim /root]# uname -a
Linux evrim 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown
[root@evrim /root]# ipchains -L -n
Chain forward (policy ACCEPT):
target     prot opt     source                destination           ports
MASQ       all  ------  net_at_the_inside/24   0.0.0.0/0             n/a
Then from outside i've sent some source routed ICMP echo request packets using SING utility. Also, i've sniffed both interfaces of 
NAT seperately.


here are attemps:
1.

./sing ip_of_C@ip_of_B
** ip_of_C@ip_of_B is the sing format which means first go to C and dst is B.
I've seen that client B get requests having source addr of A and dst address B . But then, i've seen that client B responded with replies having destination ip addr of D which is the inner int of NAT machine. So, no replies reached to the outsider A. 

2.

./sing ip_of_C@ip_of_B -S ip_of_E
In this case, i've spoofed source addres using -S parameter and set the source addr to E which is another client inside the nat. At the end, NAT machine has converted the source ip to D which is the internal IP of NAT.
I thought it was due to mismatch of MAC addresses and spoofed the source MAC address using -MAC parameter but the result didn't change. 


and now the questions:
1. Why client B responds with a packet having destination ip of D? (client B has default gw D but i mustn't be related with it it think) 
2. why nat machine changed the spoofed source addr to its own internal ip?

Thnx.

--
Evrim ULU
evrim () envy com tr / evrim () core gen tr
sysadm
http://www.core.gen.tr


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: