Penetration Testing mailing list archives

Re: Tool for source routing

From: Andrew Brown <atatat () atatdot net>
Date: Sun, 3 Jun 2001 23:03:56 -0400

Can anyone suggest a good tool to perform ip addr spoofing via source routing?


You generally use source routing in an attack to get to an address you
couldn't otherwise (for example, RFC1918 addresses.)


bsd4.4's telnet, for example, does it.  all you need to do is add a
little c code to do the binding.  the actual source route setup it
will already do itself.

That is, it should replace the source addr with a spoofed one, and add the
real one as a source route.


That implies that you're trying to spoof your source address, and get the
victim machine to source-route back [to|through] the real attacker IP.
It doesn't work that way.  Only the originator of a packet gets to specify
that source routing is on.  I know of no way to force a victim to use
source routing.


right, so you originate a packet that has source routing on and hope
that between you and the target no one is filtering source routed
packets.  also hope that the target is handling source routed packets.
most machines (five years ago, at least) would happily respond to a
source routed tcp packet with a source routed tcp packet.

It must also forward the recieved packets,
since their dest addr will be the spoofed one.

It should ideally be able to sit in between other apps, both ones that use
connect() and ones that use raw sockets, and modify the IP packets to
source route.  This would allow use of preexisting tools without
rewrite/recompilation.


Any router or bridge along the way could do that, if you had total control
over it... but I think the basic premise of what you're trying to do is
off.


not really...but total control of a router in between would certainly
make it easier.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior () daemon org             * "ah!  i see you have the internet
twofsonet () graffiti com (Andrew Brown)                that goes *ping*!"
andrew () crossbar com       * "information is power -- share the wealth."

Current thread:

Tool for source routing Franklin DeMatto (Jun 03)
- Re: Tool for source routing Dug Song (Jun 03)
- Re: Tool for source routing Ryan Russell (Jun 03)
  - Re: Tool for source routing Andrew Brown (Jun 03)
  - Re: Tool for source routing Marius Huse Jacobsen (Jun 07)
    - Re: Tool for source routing Dario Ciccarone (Jun 10)
- Re: Tool for source routing Jean-Christophe Touvet (Jun 05)
- Re: Tool for source routing Jason Witty, CISSP (Jun 08)
- <Possible follow-ups>
- Re: Tool for source routing ian . vitek (Jun 10)