Full Disclosure mailing list archives
Re: Should nmap cause a DoS on cisco routers?
From: Dan Kaminsky <dan () doxpara com>
Date: Thu, 1 Jul 2010 22:42:00 +0200
I would not object to posts on Full-Disclosure along the lines of "nmap -sV crashes x device". Unauthenticated remote permanent DoS's from standard network scanning tools are certainly legitimate findings, and if this gives more power to the QA guy in $NETWORKVENDOR, all the better. On Thu, Jul 1, 2010 at 10:27 PM, Cor Rosielle <cor () outpost24 com> wrote:
Hi Thierry, I agree this is a vulnerability. I also want to clear up an apparent misunderstanding: I don't tell not to scan with -sV, but to be careful because it is a dangerous switch that is known to sometimes crash devices. When you are testing a target, you have to know your tools and this is one of the characteristics of nmap. When testing, there are often some alternatives to choose from. And if the objective is to find out if there are any vulnerabilities in a host, then nmap -sV is one of the tools in the toolbox you can use. But if you just want to know the version of SNMP running, like Shang did, you just might want to choose another tool. (I would have used something like: for HOST in $(cat file.with.hosts); do snmpget -v 1 -c community-string $HOST sysDescr.0; done to find out if SNMP v1 was supported). Regards, Cor On Thu, 2010-07-01 at 11:28 +0200, Thierry Zoller wrote:Hi Shang, If this is possible you have found a vulnerability. Any way to remotely cause DoS with special or harmless code is per se a vulnerability. Instead of telling somebody to not scan with -sV you are better of reporting the vulnerability (ies) Regards, Thierry coc> During my training classes I always tell the -sV switch is coc> dangerous and known to (sometimes) crash the target. coc> Usually a better tool to test open udp ports is unicornscan, but coc> that doesn't have a switch like -iL. Since you are testing your coc> own devices and you know the community string, you could insider coc> to loop through the list of IP's and snmpget a value from the MIB. coc> Cor coc> sent from a mobile device coc> ----Origineel bericht---- coc> Van: Shang Tsung coc> Verzonden: 30-06-2010 13:03:32 coc> Onderw.: Should nmap cause a DoS on cisco routers? coc> Hello, coc> Some days ago, I had the task to discover the SNMP version that our coc> servers and networking devices use. So I run nmap using thefollowingcoc> command: coc> nmap -sU -sV -p 161-162 -iL target_file.txt coc> This command was supposed to use UDP to probe ports 161 and 162,whichcoc> are used for SNMP and SNMP Trap respectively, and return the SNMP coc> version. coc> This "innocent" command caused most networking devices to crash and coc> reboot, causing a Denial of Service attack and bringing down the coc> network. coc> Now my question is.. Should this had happened? Can nmap bring thewholecoc> network down from one single machine? coc> Is this a configuration error of the networking devices? coc> This is scary... coc> Shang Tsung coc> coc>------------------------------------------------------------------------coc> This list is sponsored by: Information Assurance CertificationReview Boardcoc> Prove to peers and potential employers without a doubt that you coc> can actually do a proper penetration test. IACRB CPT and CEPT coc> certs require a full practical examination in order to becomecertified.coc> http://www.iacertification.org coc>------------------------------------------------------------------------coc> _______________________________________________ coc> Full-Disclosure - We believe in it. coc> Charter: http://lists.grok.org.uk/full-disclosure-charter.html coc> Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Should nmap cause a DoS on cisco routers?, (continued)
- Re: Should nmap cause a DoS on cisco routers? Dobbins, Roland (Jul 02)
- Re: Should nmap cause a DoS on cisco routers? Thierry Zoller (Jul 02)
- Re: Should nmap cause a DoS on cisco routers? Champ Clark III [Softwink] (Jul 02)
- Re: Should nmap cause a DoS on cisco routers? Christian Sciberras (Jul 02)
- Re: Should nmap cause a DoS on cisco routers? Champ Clark III [Softwink] (Jul 02)
- Re: Should nmap cause a DoS on cisco routers? Michal (Jul 02)
- Re: Should nmap cause a DoS on cisco routers? Dobbins, Roland (Jul 02)
- Re: Should nmap cause a DoS on cisco routers? coderman (Jul 02)
- Re: Should nmap cause a DoS on cisco routers? Dan Kaminsky (Jul 01)
- Re: Should nmap cause a DoS on cisco routers? Dan Kaminsky (Jul 01)
- Re: Should nmap cause a DoS on cisco routers? Benji (Jul 01)
- WiFi sniffing need to be connected? Vinicius Menezes (Jul 02)
- Re: WiFi sniffing need to be connected? Tyler Borland (Jul 02)
- Re: Should nmap cause a DoS on cisco routers? bk (Jul 09)
- Re: Should nmap cause a DoS on cisco routers? Dobbins, Roland (Jul 10)
- Re: Should nmap cause a DoS on cisco routers? Curt Purdy (Jul 16)