Penetration Testing mailing list archives
Source Route/Spoofed Source
From: Evrim ULU <evrim () envy com tr>
Date: Sun, 21 Apr 2002 17:41:19 +0300
hi, first message to pen-test =:/i was trying to get behind my NAT but i've got some problems and people here might know the reason.
schematic view of net is something like:A (outsider) --- interface C of NAT ---- interface D of NAT ------ B (unroutable client)
------ E (another unroutable client)i've enabled source routing via echo 1 > proc/sys/net/ipv4/conf/all/accept_source_route on both NAT machine. Client B is win98 SE so, it answers source routed packets. Btw, i've no idea where to toggle this option in the registry.
Some useful info about NAT machine: [root@evrim /root]# uname -a Linux evrim 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown [root@evrim /root]# ipchains -L -n Chain forward (policy ACCEPT): target prot opt source destination ports MASQ all ------ net_at_the_inside/24 0.0.0.0/0 n/aThen from outside i've sent some source routed ICMP echo request packets using SING utility. Also, i've sniffed both interfaces of
NAT seperately. here are attemps: 1. ./sing ip_of_C@ip_of_B** ip_of_C@ip_of_B is the sing format which means first go to C and dst is B.
I've seen that client B get requests having source addr of A and dst address B . But then, i've seen that client B responded with replies having destination ip addr of D which is the inner int of NAT machine. So, no replies reached to the outsider A.
2. ./sing ip_of_C@ip_of_B -S ip_of_EIn this case, i've spoofed source addres using -S parameter and set the source addr to E which is another client inside the nat. At the end, NAT machine has converted the source ip to D which is the internal IP of NAT.
I thought it was due to mismatch of MAC addresses and spoofed the source MAC address using -MAC parameter but the result didn't change.
and now the questions:1. Why client B responds with a packet having destination ip of D? (client B has default gw D but i mustn't be related with it it think)
2. why nat machine changed the spoofed source addr to its own internal ip? Thnx. -- Evrim ULU evrim () envy com tr / evrim () core gen tr sysadm http://www.core.gen.tr ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Source Route/Spoofed Source Evrim ULU (Apr 22)