Penetration Testing: Loose source routing for remote host discovery

[Oliver Enzmann <oliver () cosec org>]

Hello,

I need to discover hosts and services on remote subnets using nmap or similar. 
However, routes to/from some of these subnets have local significance only 
and are therefore not redistributed into the global routing tables. The lack 
of complete routing tables obviously causes end-to-end layer 3 connectivity 
and scanning of these subnets to fail.  

What I need is a way to use loose source routing in combination with nmap - 
a way to mangle packets and add loose source routing information to the IP 
options before nmap's packets are sent out to the wire. 
 
I've looked at netcat (-g option to add source routing information ) but I 
would prefer to use nmap for the actual scanning. Also, hping2-rc2 seems to
support source routing but I haven't tried it yet mainly because nmap is the 
tool of choice. 

This is on Linux with kernel 2.4. Netfilter or iproute2 tricks would be 
definite possibilities.

TIA, Oliver
-- 
Unix is sexy: "unzip", "strip", "touch", "mount", "sleep".


---------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM:
http://www.securityfocus.com/StillSecure-pen-test
----------------------------------------------------------------------------