Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Should nmap cause a DoS on cisco routers?
From: Dan Kaminsky <dan () doxpara com>
Date: Thu, 1 Jul 2010 22:42:00 +0200

I would not object to posts on Full-Disclosure along the lines of "nmap -sV
crashes x device".  Unauthenticated remote permanent DoS's from standard
network scanning tools are certainly legitimate findings, and if this gives
more power to the QA guy in $NETWORKVENDOR, all the better.

On Thu, Jul 1, 2010 at 10:27 PM, Cor Rosielle <cor () outpost24 com> wrote:

Hi Thierry,

I agree this is a vulnerability. I also want to clear up an apparent
misunderstanding: I don't tell not to scan with -sV, but to be careful
because it is a dangerous switch that is known to sometimes crash
devices. When you are testing a target, you have to know your tools and
this is one of the characteristics of nmap.

When testing, there are often some alternatives to choose from. And if
the objective is to find out if there are any vulnerabilities in a host,
then nmap -sV is one of the tools in the toolbox you can use. But if you
just want to know the version of SNMP running, like Shang did, you just
might want to choose another tool. (I would have used something like:
for HOST in $(cat file.with.hosts); do snmpget -v 1 -c community-string
$HOST sysDescr.0; done
to find out if SNMP v1 was supported).


On Thu, 2010-07-01 at 11:28 +0200, Thierry Zoller wrote:
Hi Shang,

If  this  is  possible  you  have  found  a  vulnerability. Any way to
remotely  cause  DoS  with  special  or  harmless  code  is  per  se a

Instead  of  telling  somebody  to not scan with -sV you are better of
reporting the vulnerability (ies)


coc> During my training classes I always tell the -sV switch is
coc> dangerous and known to (sometimes) crash the target.

coc> Usually a better tool to test open udp ports is unicornscan, but
coc> that doesn't have a switch like -iL. Since you are testing your
coc> own devices and you know the community string, you could insider
coc> to loop through the list of IP's and snmpget a value from the MIB.

coc> Cor

coc> sent from a mobile device

coc> ----Origineel bericht----
coc> Van: Shang Tsung
coc> Verzonden:  30-06-2010 13:03:32
coc> Onderw.:  Should nmap cause a DoS on cisco routers?

coc> Hello,

coc> Some days ago, I had the task to discover the SNMP version that our
coc> servers and networking devices use. So I run nmap using the
coc> command:

coc> nmap -sU -sV -p 161-162 -iL target_file.txt

coc> This command was supposed to use UDP to probe ports 161 and 162,
coc> are used for SNMP and SNMP Trap respectively, and return the SNMP
coc> version.

coc> This "innocent" command caused most networking devices to crash and
coc> reboot, causing a Denial of Service attack and bringing down the
coc> network.

coc> Now my question is.. Should this had happened? Can nmap bring the
coc> network down from one single machine?

coc> Is this a configuration error of the networking devices?

coc> This is scary...

coc> Shang Tsung


coc> This list is sponsored by: Information Assurance Certification
Review Board

coc> Prove to peers and potential employers without a doubt that you
coc> can actually do a proper penetration test. IACRB CPT and CEPT
coc> certs require a full practical examination in order to become

coc> http://www.iacertification.org

coc> _______________________________________________
coc> Full-Disclosure - We believe in it.
coc> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
coc> Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]