SD-- Thank you for the much more detailed response regarding this matter. I found it funny that none of the man pages on the nmap homepage listed anything in regards to the keyword ESP. It looks like regarding that vulnerability/advisory the packet does not in fact contain actual ESP or AH headers, just the protocol number identifying it to be an ESP packet (in effect causing OpenBSD to crash because it can not handle "empty" AH/ESP packets.) If this is in fact not the case and nmap does generate fully compliant IPSec packets, please let me know as this is definately functonality none of my other researchers, nor I, have ever seen in nmap. P.S. If anyone has a tcpdump of those packets the AH/ESP packets nmap apparently throws out, I'd love to see them. Guess I could just check it out myself (heh). Laziness should be a sin. Loki www.fatelabs.com On Sunday 25 November 2001 11:00 pm, samsi data wrote: > Actually nmap does send malformd AH/ESP datagrams (or packets, not sure > what else you would call them). Well, sort of. Do a tcpdump while doing an > nmap IP Protocol scan and you will see zero length AH/ESP (IP protocol > 51/50) datagrams (as well as every other IP protocol between 0 and 255) > being sent to the target with the goal of eliciting an ICMP IP Protocol > unreachable. > > There was vulnerability in OpenBSD's IPSEC implementation where you could > crash the box with an Nmap IP Protocol scan that illustrates this issue. > See http://securityfocus.com/bid/1723 > > - s d > > >Can you give me a URL to where it says NMAP crafts ESP packets, as I've > >read > >all through the documentation and man page. Also, AH isn't a "packet" it > >provides authentication mechanisms for IP datagrams and protection against > >replay attacks. > > > >RFC 2402: > >ftp://ftp.isi.edu/in-notes/rfc2402.txt > > > >Loki > >www.fatelabs.com > > > >On Saturday 24 November 2001 04:44 pm, Nelson Brito wrote: > > > I guess that the nmap BETA versions can send ESP, AH and a lot of > > > >anothers > > > > > protocol's packet. > > > > > > If you wanna do something differente, just like customize the packets, > > > >use > > > > > the power, read the code, LUKE. > > > > > > Sem mais, > > > >-------------------------------------------------------------------------- > >-- This list is provided by the SecurityFocus Security Intelligence Alert > > (SIA) > >Service. For more information on SecurityFocus' SIA service which > >automatically alerts you to the latest security vulnerabilities please > > see: https://alerts.securityfocus.com/ > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Nov 26 2001 - 11:44:06 PST