Penetration Testing mailing list archives
Re: Traceroutes to Cisco Routers
From: juan.losada () empresas telefonica es
Date: Thu, 10 Jun 2004 15:26:53 +0200
I think the reason of the router behavior regarding traceroute is that if you perform a traceroute with udp packets, if the udp destination port is closed in the target host, then it will response with a ICMP "udp port unreacheable" message. Taking into account that this ICMP message is not generated as an answer for the previous udp packet, the source IP address of this packet will be the IP address of the interface by which the packet is being sent. However, if you perform the traceroute with ICMP packets, if the ICMP is not filtered in the target router, this will respond with a ICMP "echo-reply" packet. This ICMP packet will be generated as an answer for the previous ICMP "echo-request" packet, so the router will use the destination IP adress in the "echo-request" packet as the source IP address for this "echo-reply" packet. I think that always that a router generates a packet, the source IP address of this packet will be either: A - If the packet is an answer for a previous packet, the source IP address of the packet will be the destination IP address of that previous packet B - If the packet is not an answer for a previous packet, the source IP address of the packet will be the IP address of the interface by which the packet is being sent. The only exceptions to this rule are those packets that can be configured to be sent with a specific source IP address belonging to any of the router interfaces (snmp traps, tacacs, tftp, etc). Anyway, I think the ICMP packets generated by the router cannot be configured in this way (though I´m not sure about this). A good test to verify this behavior is to perform a traceroute with a udp destination port that you know is open in the target router (the UDP 161 port, for example, if the router has SNMP and the access-lists allows you to reach that port). Regards, Juanjo. "James Fields" <jvfields () tds net> con fecha 08/06/2004 23:55:14 Destinatarios: pen-test () securityfocus com CC: (cci: Juan Jose Losada Marcos/TDE) Asunto: Re: Traceroutes to Cisco Routers
Is this with all Cisco routers? You can set certain types of packets (I believe ICMP is such a case) to always be sourced from a particular interface. ----- Original Message ----- From: "Dieter Sarrazyn" <dsr () ascure com> To: <pen-test () securityfocus com> Sent: Saturday, June 05, 2004 6:55 AM Subject: Traceroutes to Cisco Routers Hi all, While performing pentests, I noticed some (strange) behaviour with tracerouting to cisco routers. Performing the trace with udp packets (default on linux), the router answers with it's ip address of the interface closest to you (external interface of the router). Performing traces with icmp (-I flag in linux, default in windows), the router answers with it's ip address that you are tracing to (mostlikely the internal interface of the router). Anybody noticed this behaviour as well? Has somebody an explanation for this? Regards, Dieter ________________________________________________________________________________________ Este mensaje ha sido analizado y protegido por la tecnologia antivirus www.trendmicro.es
Current thread:
- Traceroutes to Cisco Routers Dieter Sarrazyn (Jun 07)
- Re: Traceroutes to Cisco Routers Ranjeet Shetye (Jun 09)
- Re: Traceroutes to Cisco Routers James Fields (Jun 10)
- Re: Traceroutes to Cisco Routers Frank Knobbe (Jun 10)
- <Possible follow-ups>
- Re: Traceroutes to Cisco Routers juan . losada (Jun 10)