Penetration Testing mailing list archives

Re: Loose source routing for remote host discovery

From: "Chris McNab" <chris.mcnab () trustmatta com>
Date: Fri, 9 May 2003 14:58:49 +0100

OK,

What I need is a way to use loose source routing in combination with

nmap -

a way to mangle packets and add loose source routing information to the IP
options before nmap's packets are sent out to the wire.


Fragroute will do this for both loose and strict source route & record.
However you do need each and every device in the chain (i.e. all the routers
& gateways) to forward your source routed packets (and not strip the IP
options out). All decent firewalls I know of scrub these options by default,
and most operating systems don't forward source routed packets.

Recently I've worked a little with Todd MacDermid after playing around with
two utilities of his:

        lsrscan http://www.synacklabs.net/projects/lsrscan/
        lsrtunnel       http://www.synacklabs.net/projects/lsrtunnel/

lsrscan allows you to test gateways and routers to see if they forward
source-routed packets and reverse the route when routing responses back,
such as follows:

        # lsrscan 192.168.0.0/24
        192.168.0.0 does not reverse LSR traffic to it
        192.168.0.0 does not forward LSR traffic through it
        192.168.0.1 reverses LSR traffic to it
        192.168.0.1 forwards LSR traffic through it
        192.168.0.2 reverses LSR traffic to it
        192.168.0.2 does not forward LSR traffic through it

You need the routers and firewalls in question to forward LSR traffic
through them in order to scan and probe hosts using source routed packets.
It is a bonus if the route is reversed, as you can performing spoofing
attacks.

The lsrtunnel utility is specific to the spoofing issue that exists when a
gateway or host is found to reverse the source route, so won't be directly
useful in your case (when trying to port scan and probe boxes relative to a
gateway that forwards source routed packets). A good breakdown of the issues
and supporting information can be found at
http://www.synacklabs.net/OOB/LSR.html.

A second option you may have when talking about putting stuff through a
firewall to internal hosts that you know are not properly protected, is to
encapsulate the data somehow (such as FWZ encapsulation in the case of
Checkpoint FW-1).

HTH,

Chris


Chris McNab
Technical Director

Matta Security Limited
18 Noel Street
London W1F 8GN

Tel: 0870 077 1100
Web: www.trustmatta.com


---------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM:
http://www.securityfocus.com/StillSecure-pen-test
----------------------------------------------------------------------------

Current thread:

Loose source routing for remote host discovery Oliver Enzmann (May 08)
- RE: Loose source routing for remote host discovery Dario Ciccarone (May 08)
- Re: Loose source routing for remote host discovery R. DuFresne (May 08)
  - RE: Loose source routing for remote host discovery Dario Ciccarone (May 09)
  - Re: Loose source routing for remote host discovery Oliver Enzmann (May 09)
- <Possible follow-ups>
- Re: Loose source routing for remote host discovery Chris McNab (May 09)