Loose source routing for remote host discovery

Hello,

I need to discover hosts and services on remote subnets using nmap or similar. However, routes to/from some of these subnets have local significance only and are therefore not redistributed into the global routing tables. The lack of complete routing tables obviously causes end-to-end layer 3 connectivity and scanning of these subnets to fail.

What I need is a way to use loose source routing in combination with nmap - a way to mangle packets and add loose source routing information to the IP options before nmap's packets are sent out to the wire.  

I've looked at netcat (-g option to add source routing information ) but I would prefer to use nmap for the actual scanning. Also, hping2-rc2 seems to support source routing but I haven't tried it yet mainly because nmap is the tool of choice.

This is on Linux with kernel 2.4. Netfilter or iproute2 tricks would be definite possibilities.

TIA, Oliver

-- 
Unix is sexy: "unzip", "strip", "touch", "mount", "sleep".


---------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM:
http://www.securityfocus.com/StillSecure-pen-test
----------------------------------------------------------------------------