Penetration Testing: RE: Loose source routing for remote host discovery

["Dario Ciccarone" <dciccaro () cisco com>]

Sure thing. IOS routers would forward source-routed packets depending on
configuration (yes by default, can be turned off, should be turned off,
our best practices strongly advise to turn it off :D)) - PIX firewalls
are even more fussy.

Best thing would be to compromise a host dual-homed to those "private"
networks and also to "public" networks - or a network device itself, and
make it route the packets the way you want.


> -----Original Message-----
> From: R. DuFresne [mailto:dufresne () sysinfo com] 
> Sent: Thursday, May 08, 2003 4:47 PM
> To: Oliver Enzmann
> Cc: pen-test () securityfocus com
> Subject: Re: Loose source routing for remote host discovery
>
>
>
> The main trouble you face is that while the tools and toys 
> you are using might allow such 'loose source routing' the 
> question and sticker might well be, "do the devices your 
> specially crafted packets need to traverse also play the same 
> game?"  If those maintaining them have any salt to their 
> meat, I'm betting they do not, and so your packets will only  
> make it so far and then return information about 
> route/host/service not found, etc.  You can toss packets at a 
> device, buut, if the device is not configed to play nicely 
> with those packets, all the mangling in the world will not 
> get that device to pass em.  Of course, the devices ment to 
> be traversed could have OS flaws or HW issues that fail them 
> 'open' if they are hit hard enough or with truely mangeled 
> enough packets, but, not the thing one might wish to place bets upon
>
>
> Thanks,
>
> Ron DuFresne
>
> On Thu, 8 May 2003, Oliver Enzmann wrote:
>
> > Hello,
> >
> > I need to discover hosts and services on remote subnets 
> using nmap or 
> > similar.
> > However, routes to/from some of these subnets have local 
> significance only 
> > and are therefore not redistributed into the global routing 
> tables. The lack 
> > of complete routing tables obviously causes end-to-end 
> layer 3 connectivity 
> > and scanning of these subnets to fail.  
> >
> > What I need is a way to use loose source routing in 
> combination with 
> > nmap -
> > a way to mangle packets and add loose source routing 
> information to the IP 
> > options before nmap's packets are sent out to the wire. 
> >  
> > I've looked at netcat (-g option to add source routing 
> information ) 
> > but I
> > would prefer to use nmap for the actual scanning. Also, 
> hping2-rc2 seems to
> > support source routing but I haven't tried it yet mainly 
> because nmap is the 
> > tool of choice. 
> >
> > This is on Linux with kernel 2.4. Netfilter or iproute2 
> tricks would 
> > be
> > definite possibilities.
> >
> > TIA, Oliver
> -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior security consultant:  sysinfo.com
>                         http://sysinfo.com
>
> "Cutting the space budget really restores my faith in 
> humanity.  It eliminates dreams, goals, and ideals and lets 
> us get straight to the business of hate, debauchery, and 
> self-annihilation."
>                 -- Johnny Hart
>
> testing, only testing, and damn good at it too!
>
>
> --------------------------------------------------------------
> -------------
> Did you know that you have VNC running on your network?
> Your hacker does.
> Plug your security holes.
> Download a free 15-day trial of VAM: 
> http://www.securityfocus.com/StillSecure-pen-> test
>
>
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM:
http://www.securityfocus.com/StillSecure-pen-test
----------------------------------------------------------------------------