Issues with TEARDROP attacks within ISS, or possibly my mind.

From: CybrSpy (cybrspyat_private)
Date: Wed May 08 2002 - 23:26:14 PDT

Next message: miguel.dilajat_private: "Re: Arp spoofing & dsniff"

Previous message: Iván Arce: "Re: Arp spoofing & dsniff"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've been doing some pen-testing against some IDS's and noticed something
curious with ISS's vuln scanner(and I may be missing something, part of why
I'm posting here): I can't get their TEARDROP attack to trigger.  Nessus's
will, as will the actual old exploit from packetstorm.  I did some tcpdumps
of the packets and it doesn't appear to me that what ISS calls a TEARDROP
attack really is.  My understanding of TEARDROP is that it's a UDP packet
with the first datagram having an fragment offset of 0, Here's what I
collected as ISS's teardrop:

11:10:39.060045 192.168.2.220.14370 > 10.100.100.35.139: S [tcp sum ok] 866564
143:866564143(0) win 5840 <mss 1460,nop,wscale 0,nop,nop,timestamp 0
0,nop,nop,sackOK> (DF) (ttl 63, id 38871, len 64)
0x0000   4500 0040 97d7 4000 3f06 28e0 868d 85ec        E..@..@.?.(.....
0x0010   0a64 6423 3822 008b 33a6 b82f 0000 0000        .dd#8"..3../....
0x0020   b002 16d0 7fad 0000 0204 05b4 0103 0300        ................
0x0030   0101 080a 0000 0000 0000 0000 0101 0402        ................

Here is a REAL TEARDROP packet right from the exploit:

10:56:36.576566 10.100.100.113 > 192.168.2.220: (frag 242:4@24) (ttl 63, len
24)
0x0000   4500 0018 00f2 0003 3f11 ffad 0a64 6471        E.......?....ddq
0x0010   868d 85d0 0c0a a890 0000 0000 0000 0000        ................
0x0020   0000 0000 0000 0000 0000 0000 0000             ..............


Not only is ISS's packet not UDP but it's not even fragmented.  Now I'll be
the first to admit that I may have missed something, but has anyone else
noticed the same thing?  Or can someone verify what I've been seeing?  Or at
least point me toward something I may have missed..

TIA
- --
CybrSpy
CybrSpy Networks
cybrspyat_private
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE82haK/EoUIHtkmYQRAgDiAKCBZAdYozfgYC2h8/G77rN+gwcrJgCeKYI0
tyZuHMGZ3FxCdr7kgpO2sF8=
=SZka
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: miguel.dilajat_private: "Re: Arp spoofing & dsniff"
Previous message: Iván Arce: "Re: Arp spoofing & dsniff"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 09 2002 - 11:36:23 PDT