I will assume the dual homed machine is connected to an RFC 1918 address set network on the internal side. You will *not* be able to use routing to get to the internal network if you set your destination address to anything in the RFC 1918 range. These packets are usually dropped on sight by most (non clueless) isps. The simplest thing to do is use a packet crafting program and construct spoofed packets that appear to come from the internal network and set the destination address to the dual homed host. If the host is running a udp echo service, this makes your task significantly easier since you can use the udp echo service to relay your spoofed packets. Unfortunately this does not give you access to anything since the packets will not be routed back to you unless you can establish some sort of tunnel. If ftp is enabled you can possibly perform an ftp bounce attack depending on the ftpd of course. -----Original Message----- From: Yonatan Bokovza [mailto:Yonatanat_private] Sent: Monday, August 20, 2001 1:54 PM To: 'pen-testat_private' Subject: RE: ipforwarding enabled, what can I do OK, time to clear some smoke: The IP protocol was designed a long long time ago (September 1981 according to the RFC: http://www.ietf.org/rfc/rfc0791.txt), and several archaic feature that were probably considered "cool" at that time. Source routing divides to two features: Loose source routing- means you set "Loose Source Routing" and add 1 to 8 IPs in the IP-options. The reason you can only use 8 hops is due to IP header size limitations. Your IP packet will travel to the first IP first, and then to the second IP and on until it travels through all the IPs you defined, and then it will head toward the Destination. See traceroute -g. Strict Source Routing- is quite the same, only it means setting a different flag, and that the packet _must_ travel through _only_ the hops you wrote. Since you can only specify 8 hops this option is of little use nowadays. Another relevant option is "Record Route"- Another flag needs to be set in the header, and every hop the packet goes through will write it's IP in the header, hence you can get traceroute-like capabilities with one packet. -R to ping will do that for you. How do I attack a machine/network with this? Suppose you have stupid firewall with LAN and DMZ, you _might_ be able to pose as the DMZ if you send a packet to the LAN with IP of a DMZ server in Loose Source Routing mode. Real Life? All these options are deprecated. Any good firewall should drop packets with these flags, and any such packet should be treated like an attack by an IDS. There are lots of TCP/IP implementations out there that don't support that, and many routers that just drop that. Since you've sucked your target's SNMP data, why don't you look for more lenient weaknesses? Best Regards, Yonatan Bokovza IT Security Consultant Xpert Systems > Vladimir Parkhaev wrote: > > > > I am doing a vulnerability assesment for one of our clients. One > > of their boxes is a multihomed Solaris server with > ipforwarding enabled. > > IP addresses are available via snmp with default community string. > > > > I tried to use this box as a gateway to internal network coming > > from the Internet without success. I also looked at source > > routing but did not find any tools (Net::RawIP does not seem > > to support IP options). > > > > Does anybody know how I can use this box to do routing for me? > > > > Thanks. > > ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 10:04:56 PDT