Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Source Route/Spoofed Source

Source Route/Spoofed Source

From: Evrim ULU <evrim_at_envy.com.tr>
Date: Sun, 21 Apr 2002 17:41:19 +0300

hi,

first message to pen-test =:/

i was trying to get behind my NAT but i've got some problems and people
here might know the reason.

schematic view of net is something like:

A (outsider) --- interface C of NAT ---- interface D of NAT ------ B
(unroutable client)
                                                            ------ E (another unroutable client)

i've enabled source routing via echo 1 >
proc/sys/net/ipv4/conf/all/accept_source_route on both NAT machine.
Client B is win98 SE so, it answers source routed packets. Btw, i've no
idea where to toggle this option in the registry.

Some useful info about NAT machine:

[root_at_evrim /root]# uname -a
Linux evrim 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown
[root_at_evrim /root]# ipchains -L -n
Chain forward (policy ACCEPT):
target prot opt source destination ports
MASQ all ------ net_at_the_inside/24 0.0.0.0/0 n/a

Then from outside i've sent some source routed ICMP echo request packets
using SING utility. Also, i've sniffed both interfaces of
NAT seperately.

here are attemps:
1.

./sing ip_of_C_at_ip_of_B

** ip_of_C_at_ip_of_B is the sing format which means first go to C and dst
is B.

I've seen that client B get requests having source addr of A and dst
address B . But then, i've seen that client B responded with replies
having destination ip addr of D which is the inner int of NAT machine.
So, no replies reached to the outsider A.

2.

./sing ip_of_C_at_ip_of_B -S ip_of_E

In this case, i've spoofed source addres using -S parameter and set the
source addr to E which is another client inside the nat. At the end, NAT
machine has converted the source ip to D which is the internal IP of NAT.

I thought it was due to mismatch of MAC addresses and spoofed the source
MAC address using -MAC parameter but the result didn't change.

and now the questions:

1. Why client B responds with a packet having destination ip of D?
(client B has default gw D but i mustn't be related with it it think)
2. why nat machine changed the spoofed source addr to its own internal ip?

Thnx. 

-- 
Evrim ULU
evrim_at_envy.com.tr / evrim_at_core.gen.tr
sysadm
http://www.core.gen.tr
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Apr 22 2002
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]