Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Do ICMP re-directs actually work ?
From: <foob () return0 net>
Date: Wed, 31 Oct 2001 12:23:20 +0000 (GMT)


According to the Microsoft Windows 2000 Server:
TCP/IP Core Networking Guide:

"When a Windows 2000-based computer received an ICMP
Redirect message, IP verifies that it came from the first-hop gateway in
the current router and that the gateway is on a directly connected
network.  If so, a host route with a 10-minute lifetime is added to 
the router table for that destination IP address."

Then goes on to say that, otherwise, the redirect is ignored.

Of course, you could spoof the source address (and maybe
the source MAC address if necessary?) of the ICMP
packet.  But, the problem I had, was the ICMP message
has to contain data from a previously sent IP packet.

If you can sniff traffic, and Pepsi sends something
out via its default route, you could send the ICMP
redirect, containing the sniffed packet, and forged
IP headers.  Now Pepsi will add a temporary route
for the original host through whatever (local) machine
you specify.

The book gives no details on what validation is performed
on the ICMP payload, but i seem to remember I how no luck
with this capture/redirect scenario.  Maybe i missed something.

If you get anywhere, please pass the results on!

Cheers,

- foob

On Tue, 30 Oct 2001, Blake Frantz wrote:



It's my understanding that the ICMP redirect is used in the following
scenario:

- host1 sends data to gateway1
- gateway1 looks for the next hop and find gateway2
- gateway2 is on the same net as host1
- gateway1 sends redirect to host1 informing it to use gateway2
- host1 traffic now leaves via gateway2

With this in mind, I *think* the redirect has to come from "pepsi"'s
gateway.  

On Win2k, verify the value of:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\EnableICMPRedirect

It's set to 1 (enable) by default.

-blake


On Tue, 30 Oct 2001, Naveed Anwar wrote:


Hi All

I have just been conducting a test in one of our labs by sending ICMP
redirects to a Windows 2000 Advanced Server using ICMPUSH. Using a
sniffer I see the packet successfully leave my machine, then again
from the target box I see the re-direct arrive. Say for example my
target machine is called Pepsi, and I tell it to redirect any packets
for a machine called Fanta to a dead gateway, hence communication to
Fanta will fail for the lifetime of the redirect.

Now my understanding is that the target server (Pepsi) should now
have updated its local routing table with respect to the Fanta
machine. Then from Pepsi I try to ping/telnet/http/ftp etc..(i.e
establish communication) to Fanta I am able to. The point is since I
told Pepsi via a redirect to send all traffic for Fanta to a
blackhole, how is the communication working.

One interesting point is that when I issue a netstat -rn to view the
routing table, I see no route update from the ICMP redirect. 

After reading Ofir's excellent paper I understand most ICMP
implementations are OS specific, therefore I guess redirects do not
work in Win2000 or Linux 6.2 which I also tested..or am I doing
something horribly wrong?

Thanks
Naveed

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]