Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Should nmap cause a DoS on cisco routers?
From: Cor Rosielle <cor () outpost24 com>
Date: Thu, 01 Jul 2010 22:27:48 +0200

Hi Thierry,

I agree this is a vulnerability. I also want to clear up an apparent
misunderstanding: I don't tell not to scan with -sV, but to be careful
because it is a dangerous switch that is known to sometimes crash
devices. When you are testing a target, you have to know your tools and
this is one of the characteristics of nmap.

When testing, there are often some alternatives to choose from. And if
the objective is to find out if there are any vulnerabilities in a host,
then nmap -sV is one of the tools in the toolbox you can use. But if you
just want to know the version of SNMP running, like Shang did, you just
might want to choose another tool. (I would have used something like:
for HOST in $(cat file.with.hosts); do snmpget -v 1 -c community-string
$HOST sysDescr.0; done
to find out if SNMP v1 was supported).

Regards,
Cor


On Thu, 2010-07-01 at 11:28 +0200, Thierry Zoller wrote:
Hi Shang,

If  this  is  possible  you  have  found  a  vulnerability. Any way to
remotely  cause  DoS  with  special  or  harmless  code  is  per  se a
vulnerability.

Instead  of  telling  somebody  to not scan with -sV you are better of
reporting the vulnerability (ies)

Regards,
Thierry

coc> During my training classes I always tell the -sV switch is
coc> dangerous and known to (sometimes) crash the target.  

coc> Usually a better tool to test open udp ports is unicornscan, but
coc> that doesn't have a switch like -iL. Since you are testing your
coc> own devices and you know the community string, you could insider
coc> to loop through the list of IP's and snmpget a value from the MIB.

coc> Cor

coc> sent from a mobile device 


coc> ----Origineel bericht----
coc> Van: Shang Tsung
coc> Verzonden:  30-06-2010 13:03:32
coc> Onderw.:  Should nmap cause a DoS on cisco routers?

coc> Hello,

coc> Some days ago, I had the task to discover the SNMP version that our 
coc> servers and networking devices use. So I run nmap using the following 
coc> command:

coc> nmap -sU -sV -p 161-162 -iL target_file.txt

coc> This command was supposed to use UDP to probe ports 161 and 162, which
coc> are used for SNMP and SNMP Trap respectively, and return the SNMP 
coc> version.

coc> This "innocent" command caused most networking devices to crash and 
coc> reboot, causing a Denial of Service attack and bringing down the 
coc> network.

coc> Now my question is.. Should this had happened? Can nmap bring the whole
coc> network down from one single machine?

coc> Is this a configuration error of the networking devices?

coc> This is scary...

coc> Shang Tsung






coc>   

coc> ------------------------------------------------------------------------
coc> This list is sponsored by: Information Assurance Certification Review Board

coc> Prove to peers and potential employers without a doubt that you
coc> can actually do a proper penetration test. IACRB CPT and CEPT
coc> certs require a full practical examination in order to become certified.

coc> http://www.iacertification.org
coc> ------------------------------------------------------------------------


coc> _______________________________________________
coc> Full-Disclosure - We believe in it.
coc> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
coc> Hosted and sponsored by Secunia - http://secunia.com/





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]