Penetration Testing mailing list archives
RE: Loose source routing for remote host discovery
From: "Dario Ciccarone" <dciccaro () cisco com>
Date: Thu, 8 May 2003 18:09:33 -0300
Sure thing. IOS routers would forward source-routed packets depending on configuration (yes by default, can be turned off, should be turned off, our best practices strongly advise to turn it off :D)) - PIX firewalls are even more fussy. Best thing would be to compromise a host dual-homed to those "private" networks and also to "public" networks - or a network device itself, and make it route the packets the way you want.
-----Original Message----- From: R. DuFresne [mailto:dufresne () sysinfo com] Sent: Thursday, May 08, 2003 4:47 PM To: Oliver Enzmann Cc: pen-test () securityfocus com Subject: Re: Loose source routing for remote host discovery The main trouble you face is that while the tools and toys you are using might allow such 'loose source routing' the question and sticker might well be, "do the devices your specially crafted packets need to traverse also play the same game?" If those maintaining them have any salt to their meat, I'm betting they do not, and so your packets will only make it so far and then return information about route/host/service not found, etc. You can toss packets at a device, buut, if the device is not configed to play nicely with those packets, all the mangling in the world will not get that device to pass em. Of course, the devices ment to be traversed could have OS flaws or HW issues that fail them 'open' if they are hit hard enough or with truely mangeled enough packets, but, not the thing one might wish to place bets upon Thanks, Ron DuFresne On Thu, 8 May 2003, Oliver Enzmann wrote:Hello, I need to discover hosts and services on remote subnetsusing nmap orsimilar. However, routes to/from some of these subnets have localsignificance onlyand are therefore not redistributed into the global routingtables. The lackof complete routing tables obviously causes end-to-endlayer 3 connectivityand scanning of these subnets to fail. What I need is a way to use loose source routing incombination withnmap - a way to mangle packets and add loose source routinginformation to the IPoptions before nmap's packets are sent out to the wire. I've looked at netcat (-g option to add source routinginformation )but I would prefer to use nmap for the actual scanning. Also,hping2-rc2 seems tosupport source routing but I haven't tried it yet mainlybecause nmap is thetool of choice. This is on Linux with kernel 2.4. Netfilter or iproute2tricks wouldbe definite possibilities. TIA, Oliver-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! -------------------------------------------------------------- ------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes. Download a free 15-day trial of VAM: http://www.securityfocus.com/StillSecure-pen-> test -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes. Download a free 15-day trial of VAM: http://www.securityfocus.com/StillSecure-pen-test ----------------------------------------------------------------------------
Current thread:
- Loose source routing for remote host discovery Oliver Enzmann (May 08)
- RE: Loose source routing for remote host discovery Dario Ciccarone (May 08)
- Re: Loose source routing for remote host discovery R. DuFresne (May 08)
- RE: Loose source routing for remote host discovery Dario Ciccarone (May 09)
- Re: Loose source routing for remote host discovery Oliver Enzmann (May 09)
- <Possible follow-ups>
- Re: Loose source routing for remote host discovery Chris McNab (May 09)