SecurityFocus Penetration RE Loose source routing for remote

Document Sample
SecurityFocus Penetration RE Loose source routing for remote Powered By Docstoc
					           SecurityFocus Penetration: RE: Loose source routing for remote host discovery

          RE: Loose source routing for remote host
                        discovery

Source: http://www.derkeiler.com/Mailing−Lists/securityfocus/pen−test/2003−05/0018.html


From: Dario Ciccarone (dciccaro_at_cisco.com)
Date: 05/08/03

To: "'R. DuFresne'" <dufresne@sysinfo.com>, "'Oliver Enzmann'" <oliver@cosec.org>
Date: Thu, 8 May 2003 18:09:33 −0300



Sure thing. IOS routers would forward source−routed packets depending on
configuration (yes by default, can be turned off, should be turned off,
our best practices strongly advise to turn it off :D)) − PIX firewalls
are even more fussy.

Best thing would be to compromise a host dual−homed to those "private"
networks and also to "public" networks − or a network device itself, and
make it route the packets the way you want.

> −−−−−Original Message−−−−−
> From: R. DuFresne [mailto:dufresne@sysinfo.com]
> Sent: Thursday, May 08, 2003 4:47 PM
> To: Oliver Enzmann
> Cc: pen−test@securityfocus.com
> Subject: Re: Loose source routing for remote host discovery
>
>
>
> The main trouble you face is that while the tools and toys
> you are using might allow such 'loose source routing' the
> question and sticker might well be, "do the devices your
> specially crafted packets need to traverse also play the same
> game?" If those maintaining them have any salt to their
> meat, I'm betting they do not, and so your packets will only
> make it so far and then return information about
> route/host/service not found, etc. You can toss packets at a
> device, buut, if the device is not configed to play nicely
> with those packets, all the mangling in the world will not
> get that device to pass em. Of course, the devices ment to
> be traversed could have OS flaws or HW issues that fail them
> 'open' if they are hit hard enough or with truely mangeled
> enough packets, but, not the thing one might wish to place bets upon
>
>
> Thanks,


RE: Loose source routing for remote host discovery                                         1
           SecurityFocus Penetration: RE: Loose source routing for remote host discovery
>
> Ron DuFresne
>
> On Thu, 8 May 2003, Oliver Enzmann wrote:
>
> > Hello,
>>
> > I need to discover hosts and services on remote subnets
> using nmap or
> > similar.
> > However, routes to/from some of these subnets have local
> significance only
> > and are therefore not redistributed into the global routing
> tables. The lack
> > of complete routing tables obviously causes end−to−end
> layer 3 connectivity
> > and scanning of these subnets to fail.
>>
> > What I need is a way to use loose source routing in
> combination with
> > nmap −
> > a way to mangle packets and add loose source routing
> information to the IP
> > options before nmap's packets are sent out to the wire.
>>
> > I've looked at netcat (−g option to add source routing
> information )
> > but I
> > would prefer to use nmap for the actual scanning. Also,
> hping2−rc2 seems to
> > support source routing but I haven't tried it yet mainly
> because nmap is the
> > tool of choice.
>>
> > This is on Linux with kernel 2.4. Netfilter or iproute2
> tricks would
> > be
> > definite possibilities.
>>
> > TIA, Oliver
>>
>
> −−
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> admin & senior security consultant: sysinfo.com
> http://sysinfo.com
>
> "Cutting the space budget really restores my faith in
> humanity. It eliminates dreams, goals, and ideals and lets
> us get straight to the business of hate, debauchery, and
> self−annihilation."

RE: Loose source routing for remote host discovery                                         2
          SecurityFocus Penetration: RE: Loose source routing for remote host discovery
> −− Johnny Hart
>
> testing, only testing, and damn good at it too!
>
>
> −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
> −−−−−−−−−−−−−
> Did you know that you have VNC running on your network?
> Your hacker does.
> Plug your security holes.
> Download a free 15−day trial of VAM:
> http://www.securityfocus.com/StillSecure−pen−> test
>
>
> −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
> −−−−−−−−−−−−−−
>
>

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15−day trial of VAM:
http://www.securityfocus.com/StillSecure−pen−test
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−




RE: Loose source routing for remote host discovery                                        3

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:7
posted:7/15/2011
language:English
pages:3