Penetration Testing mailing list archives

RE: Loose source routing for remote host discovery

From: "Dario Ciccarone" <dciccaro () cisco com>
Date: Thu, 8 May 2003 14:51:18 -0300

http://www.monkey.org/~dugsong/fragroute/

Didn't work for me - it doesn't really work as LSRR and SSRR should
work. It just sets the option and copies the list of IP addresses you
supply to the end of the packet - but doesn't do the actual
source-routing pointer-juggling and such. Good Luck. Let us all know if
it worked for you :D


Dario

-----Original Message-----
From: Oliver Enzmann [mailto:oliver () cosec org] 
Sent: Thursday, May 08, 2003 11:02 AM
To: pen-test () securityfocus com
Subject: Loose source routing for remote host discovery

Hello,

I need to discover hosts and services on remote subnets using 
nmap or similar. 
However, routes to/from some of these subnets have local 
significance only 
and are therefore not redistributed into the global routing 
tables. The lack 
of complete routing tables obviously causes end-to-end layer 
3 connectivity 
and scanning of these subnets to fail.  

What I need is a way to use loose source routing in 
combination with nmap - 
a way to mangle packets and add loose source routing 
information to the IP 
options before nmap's packets are sent out to the wire. 

I've looked at netcat (-g option to add source routing 
information ) but I 
would prefer to use nmap for the actual scanning. Also, 
hping2-rc2 seems to support source routing but I haven't 
tried it yet mainly because nmap is the 
tool of choice. 

This is on Linux with kernel 2.4. Netfilter or iproute2 
tricks would be 
definite possibilities.

TIA, Oliver
-- 
Unix is sexy: "unzip", "strip", "touch", "mount", "sleep".

--------------------------------------------------------------
-------------
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM: 
http://www.securityfocus.com/StillSecure-pen-> test

--------------------------------------------------------------
--------------



---------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM:
http://www.securityfocus.com/StillSecure-pen-test
----------------------------------------------------------------------------

Current thread:

Loose source routing for remote host discovery Oliver Enzmann (May 08)
- RE: Loose source routing for remote host discovery Dario Ciccarone (May 08)
- Re: Loose source routing for remote host discovery R. DuFresne (May 08)
  - RE: Loose source routing for remote host discovery Dario Ciccarone (May 09)
  - Re: Loose source routing for remote host discovery Oliver Enzmann (May 09)
- <Possible follow-ups>
- Re: Loose source routing for remote host discovery Chris McNab (May 09)