OK, > What I need is a way to use loose source routing in combination with nmap - > a way to mangle packets and add loose source routing information to the IP > options before nmap's packets are sent out to the wire. Fragroute will do this for both loose and strict source route & record. However you do need each and every device in the chain (i.e. all the routers & gateways) to forward your source routed packets (and not strip the IP options out). All decent firewalls I know of scrub these options by default, and most operating systems don't forward source routed packets. Recently I've worked a little with Todd MacDermid after playing around with two utilities of his: lsrscan http://www.synacklabs.net/projects/lsrscan/ lsrtunnel http://www.synacklabs.net/projects/lsrtunnel/ lsrscan allows you to test gateways and routers to see if they forward source-routed packets and reverse the route when routing responses back, such as follows: # lsrscan 192.168.0.0/24 192.168.0.0 does not reverse LSR traffic to it 192.168.0.0 does not forward LSR traffic through it 192.168.0.1 reverses LSR traffic to it 192.168.0.1 forwards LSR traffic through it 192.168.0.2 reverses LSR traffic to it 192.168.0.2 does not forward LSR traffic through it You need the routers and firewalls in question to forward LSR traffic through them in order to scan and probe hosts using source routed packets. It is a bonus if the route is reversed, as you can performing spoofing attacks. The lsrtunnel utility is specific to the spoofing issue that exists when a gateway or host is found to reverse the source route, so won't be directly useful in your case (when trying to port scan and probe boxes relative to a gateway that forwards source routed packets). A good breakdown of the issues and supporting information can be found at http://www.synacklabs.net/OOB/LSR.html. A second option you may have when talking about putting stuff through a firewall to internal hosts that you know are not properly protected, is to encapsulate the data somehow (such as FWZ encapsulation in the case of Checkpoint FW-1). HTH, Chris Chris McNab Technical Director Matta Security Limited 18 Noel Street London W1F 8GN Tel: 0870 077 1100 Web: www.trustmatta.com --------------------------------------------------------------------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes. Download a free 15-day trial of VAM: http://www.securityfocus.com/StillSecure-pen-test ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri May 09 2003 - 11:48:42 PDT