Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > pen-test > 03 > 050655.html (Request Expert securityfocus.com Support)

Re: Loose source routing for remote host discovery

From: Chris McNab <chris.mcnab(at)trustmatta.com>
Date: Fri May 09 2003 - 09:58:49 EDT


OK,

> What I need is a way to use loose source routing in combination with
nmap -
> a way to mangle packets and add loose source routing information to the IP
> options before nmap's packets are sent out to the wire.

Fragroute will do this for both loose and strict source route & record. However you do need each and every device in the chain (i.e. all the routers & gateways) to forward your source routed packets (and not strip the IP options out). All decent firewalls I know of scrub these options by default, and most operating systems don't forward source routed packets.

Recently I've worked a little with Todd MacDermid after playing around with two utilities of his: 

	lsrscan	
http://www.synacklabs.net/projects/lsrscan/
	lsrtunnel	
http://www.synacklabs.net/projects/lsrtunnel/

lsrscan allows you to test gateways and routers to see if they forward source-routed packets and reverse the route when routing responses back, such as follows: 

	# lsrscan 192.168.0.0/24
	192.168.0.0 does not reverse LSR traffic to it
	192.168.0.0 does not forward LSR traffic through it
	192.168.0.1 reverses LSR traffic to it
	192.168.0.1 forwards LSR traffic through it
	192.168.0.2 reverses LSR traffic to it
	192.168.0.2 does not forward LSR traffic through it

You need the routers and firewalls in question to forward LSR traffic through them in order to scan and probe hosts using source routed packets. It is a bonus if the route is reversed, as you can performing spoofing attacks.

The lsrtunnel utility is specific to the spoofing issue that exists when a gateway or host is found to reverse the source route, so won't be directly useful in your case (when trying to port scan and probe boxes relative to a gateway that forwards source routed packets). A good breakdown of the issues and supporting information can be found at http://www.synacklabs.net/OOB/LSR.html.

A second option you may have when talking about putting stuff through a firewall to internal hosts that you know are not properly protected, is to encapsulate the data somehow (such as FWZ encapsulation in the case of Checkpoint FW-1).

Do you need help?X

HTH, Chris

Chris McNab
Technical Director

Matta Security Limited
18 Noel Street
London W1F 8GN

Tel: 0870 077 1100
Web: www.trustmatta.com


Did you know that you have VNC running on your network? Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM:
http://www.securityfocus.com/StillSecure-pen-test
Received on Fri May 9 14:50:49 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:35 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library