John Lampe wrote:
> Michel Casabona wrote:
>
>> The ike_detect plugin do not always detect an active IKE service
>> because it uses a random source port. Some IKE implementations
>> answers only to source port 500.
>>
>> Note that ike_check had the same problem and was fixed already.
>>
>> Thanks
>
>
> and, some IKE implementations accept an IKE packet from an ephermal
> source port and respond as if the source port was set to 500 (srcport
> ==dstport = 500).
>
> At any rate, I'll make that change and thanks for reporting the issue.
>
> John
>
Actually, it's already in there. We send the first UDP packet with a
random src port. If we don't get a response, then it falls through to
this block of code:
if (! live)
{
# well, some implementations of IPSEC (Microsoft,...)
# will receive a packet from src port != 500 and dst
port=500
# and reply from src port == 500 dst port == 500
udpip = forge_udp_packet(ip : ip,
uh_sport : port,
uh_dport : port,
uh_ulen : oneoff + 8,
data : blat);
live = send_packet(udpip, pcap_active:TRUE,
pcap_filter:filter, pcap_timeout:2);
}
Any further info or a pcap (tcpdump -i <interface> -s 1500 -w
ike_debug.pcap) would help greatly. Thanks.
John
--
John Lampe
Senior Security Researcher
TENABLE Network Security, Inc.
jwlampe@{nessus.org,tenablesecurity.com}
Tele: (410) 872-0555
www.tenablesecurity.com
Is your network TENABLE?
---------------------------------------
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2.1.3 : Fri Oct 13 2006 - 09:57:04 PDT