Re: Should nmap cause a DoS on cisco routers?

[Cor Rosielle <cor () outpost24 com>]

Hi Thierry,

I agree this is a vulnerability. I also want to clear up an apparent
misunderstanding: I don't tell not to scan with -sV, but to be careful
because it is a dangerous switch that is known to sometimes crash
devices. When you are testing a target, you have to know your tools and
this is one of the characteristics of nmap.

When testing, there are often some alternatives to choose from. And if
the objective is to find out if there are any vulnerabilities in a host,
then nmap -sV is one of the tools in the toolbox you can use. But if you
just want to know the version of SNMP running, like Shang did, you just
might want to choose another tool. (I would have used something like:
for HOST in $(cat file.with.hosts); do snmpget -v 1 -c community-string
$HOST sysDescr.0; done
to find out if SNMP v1 was supported).

Regards,
Cor


On Thu, 2010-07-01 at 11:28 +0200, Thierry Zoller wrote:
> Hi Shang,
>
> If  this  is  possible  you  have  found  a  vulnerability. Any way to
> remotely  cause  DoS  with  special  or  harmless  code  is  per  se a
> vulnerability.
>
> Instead  of  telling  somebody  to not scan with -sV you are better of
> reporting the vulnerability (ies)
>
> Regards,
> Thierry
>
> coc> During my training classes I always tell the -sV switch is
> coc> dangerous and known to (sometimes) crash the target.  
>
> coc> Usually a better tool to test open udp ports is unicornscan, but
> coc> that doesn't have a switch like -iL. Since you are testing your
> coc> own devices and you know the community string, you could insider
> coc> to loop through the list of IP's and snmpget a value from the MIB.
>
> coc> Cor
>
> coc> sent from a mobile device 
>
>
> coc> ----Origineel bericht----
> coc> Van: Shang Tsung
> coc> Verzonden:  30-06-2010 13:03:32
> coc> Onderw.:  Should nmap cause a DoS on cisco routers?
>
> coc> Hello,
>
> coc> Some days ago, I had the task to discover the SNMP version that our 
> coc> servers and networking devices use. So I run nmap using the following 
> coc> command:
>
> coc> nmap -sU -sV -p 161-162 -iL target_file.txt
>
> coc> This command was supposed to use UDP to probe ports 161 and 162, which
> coc> are used for SNMP and SNMP Trap respectively, and return the SNMP 
> coc> version.
>
> coc> This "innocent" command caused most networking devices to crash and 
> coc> reboot, causing a Denial of Service attack and bringing down the 
> coc> network.
>
> coc> Now my question is.. Should this had happened? Can nmap bring the whole
> coc> network down from one single machine?
>
> coc> Is this a configuration error of the networking devices?
>
> coc> This is scary...
>
> coc> Shang Tsung
>
>
>
>
>
>
> coc>   
>
> coc> ------------------------------------------------------------------------
> coc> This list is sponsored by: Information Assurance Certification Review Board
>
> coc> Prove to peers and potential employers without a doubt that you
> coc> can actually do a proper penetration test. IACRB CPT and CEPT
> coc> certs require a full practical examination in order to become certified.
>
> coc> http://www.iacertification.org
> coc> ------------------------------------------------------------------------
>
>
> coc> _______________________________________________
> coc> Full-Disclosure - We believe in it.
> coc> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> coc> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/