Re: Loose source routing for remote host discovery

From: Chris McNab (chris.mcnabat_private)
Date: Fri May 09 2003 - 06:58:49 PDT

Next message: Richard Ginski: "Where is a Free Copy of ISO17799?"

Previous message: Volker Tanger: "Re: Directory listing"
Maybe in reply to: Oliver Enzmann: "Loose source routing for remote host discovery"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

OK,

> What I need is a way to use loose source routing in combination with
nmap -
> a way to mangle packets and add loose source routing information to the IP
> options before nmap's packets are sent out to the wire.

Fragroute will do this for both loose and strict source route & record.
However you do need each and every device in the chain (i.e. all the routers
& gateways) to forward your source routed packets (and not strip the IP
options out). All decent firewalls I know of scrub these options by default,
and most operating systems don't forward source routed packets.

Recently I've worked a little with Todd MacDermid after playing around with
two utilities of his:

	lsrscan	http://www.synacklabs.net/projects/lsrscan/
	lsrtunnel	http://www.synacklabs.net/projects/lsrtunnel/

lsrscan allows you to test gateways and routers to see if they forward
source-routed packets and reverse the route when routing responses back,
such as follows:

	# lsrscan 192.168.0.0/24
	192.168.0.0 does not reverse LSR traffic to it
	192.168.0.0 does not forward LSR traffic through it
	192.168.0.1 reverses LSR traffic to it
	192.168.0.1 forwards LSR traffic through it
	192.168.0.2 reverses LSR traffic to it
	192.168.0.2 does not forward LSR traffic through it

You need the routers and firewalls in question to forward LSR traffic
through them in order to scan and probe hosts using source routed packets.
It is a bonus if the route is reversed, as you can performing spoofing
attacks.

The lsrtunnel utility is specific to the spoofing issue that exists when a
gateway or host is found to reverse the source route, so won't be directly
useful in your case (when trying to port scan and probe boxes relative to a
gateway that forwards source routed packets). A good breakdown of the issues
and supporting information can be found at
http://www.synacklabs.net/OOB/LSR.html.

A second option you may have when talking about putting stuff through a
firewall to internal hosts that you know are not properly protected, is to
encapsulate the data somehow (such as FWZ encapsulation in the case of
Checkpoint FW-1).

HTH,

Chris


Chris McNab
Technical Director

Matta Security Limited
18 Noel Street
London W1F 8GN

Tel: 0870 077 1100
Web: www.trustmatta.com


---------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM:
http://www.securityfocus.com/StillSecure-pen-test
----------------------------------------------------------------------------

Next message: Richard Ginski: "Where is a Free Copy of ISO17799?"
Previous message: Volker Tanger: "Re: Directory listing"
Maybe in reply to: Oliver Enzmann: "Loose source routing for remote host discovery"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 09 2003 - 11:48:42 PDT