Penetration Testing mailing list archives
Re: A tool for crafting ESP packets
From: Loki <loki () fatelabs com>
Date: Mon, 26 Nov 2001 00:26:15 -0500
SD-- Thank you for the much more detailed response regarding this matter. I found it funny that none of the man pages on the nmap homepage listed anything in regards to the keyword ESP. It looks like regarding that vulnerability/advisory the packet does not in fact contain actual ESP or AH headers, just the protocol number identifying it to be an ESP packet (in effect causing OpenBSD to crash because it can not handle "empty" AH/ESP packets.) If this is in fact not the case and nmap does generate fully compliant IPSec packets, please let me know as this is definately functonality none of my other researchers, nor I, have ever seen in nmap. P.S. If anyone has a tcpdump of those packets the AH/ESP packets nmap apparently throws out, I'd love to see them. Guess I could just check it out myself (heh). Laziness should be a sin. Loki www.fatelabs.com On Sunday 25 November 2001 11:00 pm, samsi data wrote:
Actually nmap does send malformd AH/ESP datagrams (or packets, not sure what else you would call them). Well, sort of. Do a tcpdump while doing an nmap IP Protocol scan and you will see zero length AH/ESP (IP protocol 51/50) datagrams (as well as every other IP protocol between 0 and 255) being sent to the target with the goal of eliciting an ICMP IP Protocol unreachable. There was vulnerability in OpenBSD's IPSEC implementation where you could crash the box with an Nmap IP Protocol scan that illustrates this issue. See http://securityfocus.com/bid/1723 - s dCan you give me a URL to where it says NMAP crafts ESP packets, as I've read all through the documentation and man page. Also, AH isn't a "packet" it provides authentication mechanisms for IP datagrams and protection against replay attacks. RFC 2402: ftp://ftp.isi.edu/in-notes/rfc2402.txt Loki www.fatelabs.com On Saturday 24 November 2001 04:44 pm, Nelson Brito wrote:I guess that the nmap BETA versions can send ESP, AH and a lot ofanothersprotocol's packet. If you wanna do something differente, just like customize the packets,usethe power, read the code, LUKE. Sem mais,-------------------------------------------------------------------------- -- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/_________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- A tool for crafting ESP packets Loki (Nov 24)
- Re: A tool for crafting ESP packets Nelson Brito (Nov 24)
- Re: A tool for crafting ESP packets Loki (Nov 24)
- Re: A tool for crafting ESP packets Emre Yildirim (Nov 26)
- Re: A tool for crafting ESP packets Nelson Brito (Nov 26)
- Re: A tool for crafting ESP packets Loki (Nov 26)
- Re: A tool for crafting ESP packets Loki (Nov 24)
- Re: A tool for crafting ESP packets Nelson Brito (Nov 24)
- <Possible follow-ups>
- Re: A tool for crafting ESP packets samsi data (Nov 26)
- Re: A tool for crafting ESP packets Loki (Nov 26)
- RE: A tool for crafting ESP packets amok (Nov 28)
- RE: A tool for crafting ESP packets Jose Nazario (Nov 29)