Sure thing. IOS routers would forward source-routed packets depending on configuration (yes by default, can be turned off, should be turned off, our best practices strongly advise to turn it off :D)) - PIX firewalls are even more fussy. Best thing would be to compromise a host dual-homed to those "private" networks and also to "public" networks - or a network device itself, and make it route the packets the way you want. > -----Original Message----- > From: R. DuFresne [mailto:dufresneat_private] > Sent: Thursday, May 08, 2003 4:47 PM > To: Oliver Enzmann > Cc: pen-testat_private > Subject: Re: Loose source routing for remote host discovery > > > > The main trouble you face is that while the tools and toys > you are using might allow such 'loose source routing' the > question and sticker might well be, "do the devices your > specially crafted packets need to traverse also play the same > game?" If those maintaining them have any salt to their > meat, I'm betting they do not, and so your packets will only > make it so far and then return information about > route/host/service not found, etc. You can toss packets at a > device, buut, if the device is not configed to play nicely > with those packets, all the mangling in the world will not > get that device to pass em. Of course, the devices ment to > be traversed could have OS flaws or HW issues that fail them > 'open' if they are hit hard enough or with truely mangeled > enough packets, but, not the thing one might wish to place bets upon > > > Thanks, > > Ron DuFresne > > On Thu, 8 May 2003, Oliver Enzmann wrote: > > > Hello, > > > > I need to discover hosts and services on remote subnets > using nmap or > > similar. > > However, routes to/from some of these subnets have local > significance only > > and are therefore not redistributed into the global routing > tables. The lack > > of complete routing tables obviously causes end-to-end > layer 3 connectivity > > and scanning of these subnets to fail. > > > > What I need is a way to use loose source routing in > combination with > > nmap - > > a way to mangle packets and add loose source routing > information to the IP > > options before nmap's packets are sent out to the wire. > > > > I've looked at netcat (-g option to add source routing > information ) > > but I > > would prefer to use nmap for the actual scanning. Also, > hping2-rc2 seems to > > support source routing but I haven't tried it yet mainly > because nmap is the > > tool of choice. > > > > This is on Linux with kernel 2.4. Netfilter or iproute2 > tricks would > > be > > definite possibilities. > > > > TIA, Oliver > > > > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > admin & senior security consultant: sysinfo.com > http://sysinfo.com > > "Cutting the space budget really restores my faith in > humanity. It eliminates dreams, goals, and ideals and lets > us get straight to the business of hate, debauchery, and > self-annihilation." > -- Johnny Hart > > testing, only testing, and damn good at it too! > > > -------------------------------------------------------------- > ------------- > Did you know that you have VNC running on your network? > Your hacker does. > Plug your security holes. > Download a free 15-day trial of VAM: > http://www.securityfocus.com/StillSecure-pen-> test > > > -------------------------------------------------------------- > -------------- > > --------------------------------------------------------------------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes. Download a free 15-day trial of VAM: http://www.securityfocus.com/StillSecure-pen-test ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri May 09 2003 - 11:03:16 PDT