Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: source routing

From: "Naveed Anwar" <naveed () middleoffice com>
Date: Thu, 27 Sep 04:07:07 2001 +0100
Daniel

IP supports two types of source routing. The first type is loose
source routing, in which the IP address of the next router can be one
or more routers away (multiple hops).  The second type is strict
source routing, in which the next router must be a neighboring router
(single hop).

A ping example is 

C:\>ping -j 169.182.224.3 169.186.129.102 ak47

Pinging ak47.sa.com [169.182.227.245] with 32 bytes of data:

Reply from 169.182.227.245: bytes=32 time<10ms TTL=123
    Route: 169.186.129.102 ->
           169.182.224.3
Reply from 169.182.227.245: bytes=32 time<10ms TTL=123
    Route: 169.186.129.90 ->
           169.182.224.3
Reply from 169.182.227.245: bytes=32 time<10ms TTL=123
    Route: 169.186.129.102 ->
           169.182.224.3
Reply from 169.182.227.245: bytes=32 time<10ms TTL=123
    Route: 169.186.129.90 ->
           169.182.224.3

Hence in the above example we are telling packet to go first to
169.182.224.3 and then 169.186.129.102 and then ak47 where ak47 is my
host.

If you want to play around with this in a proper way I suggest you
use netcat, the below extract is taken from the netcat readme:

Netcat provides several ways for you to test your own packet filters.
 If you bind to a port normally protected against outside access and
make a connection to somewhere outside your own network, the return
traffic will be coming to your chosen port from the "outside" and
should be blocked.  TCP may get through if your filter passes all
"ack syn", but it shouldn't be even doing that to low ports on your
network.  Remember to test with UDP traffic as well!  

If your filter passes at least outbound source-routed IP packets,
bouncing a connection back to yourself via some gateway outside your
network will create "incoming" traffic with your source address,
which should get dropped by a correctly configured anti-spoofing
filter.  

This is a "non-test" if you're also dropping source-routing, but it's
good to be able to test for that too.  Any packet filter worth its
salt will be blocking source-routed packets in both directions, but
you never know what interesting quirks you might turn up by playing
around with source ports and addresses and watching the wires with a
network monitor.

The real dangers of source routing is when an attacker spoofs a
source ip and re-directs traffic to him (or her) either directly to
his machine or through one which he controls.







-------- ORIGINAL MESSAGE BELOW --------
Hi all,

A couple of questions on Loose source routing...

1. Has anyone played with loose source routing on windows 2000?.. If so, 
how do I specify a valid host-list in any of the tcp/ip commands like 
tracert, ping, pathping..  etc...? (e.g. ping -j host-list destination). I 
tried a comma or space delimited list and it didn't work, nor did a file
with the ips listed work.
2. Has anyone successfully probed a private network behind a gateway,
firewall or router appliance using loose or strict source routing? If so,
what tools / methodology has worked best?

I have been able to send packets to a host behind a Linux firewall with
source routing enabled (who would do that??) using the "sing" tool, but
the host on the other side was not able to communicate back to me... any
ideas? 

Thanks

Daniel Tatone, CCSA
Network Security Engineer - Richter Security Inc.
http://www.richtersecurity.com
dtatone () richtersecurity com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: