Using Emulation and More to Analyze Network Security - Assessing source routing vulnerabilities
(Page 2 of 4 )
Todd MacDermid of Syn Ack Labs (http://www.synacklabs.net) has written two excellent tools that can assess and exploit source routing vulnerabilities found in remote networks:
Both tools require libpcap and libdnet to build, and they run quite smoothly in Linux and BSD environments. A white paper written by Todd that explains source routing problems in some detail is available from http://www.synacklabs.net/OOB/LSR.html. LSR attack mileage varies nowadays, as most ISPs drop LSR traffic, and so it does not usually traverse the Internet.
LSRScan. The LSRScan tool crafts probe packets with specific source routing options to determine exactly how remote hosts deal with source-routed packets. The tool checks for the following two behaviors:
Whether the target host reverses the source route when sending packets back
Whether the target host can forward source-routed packets to an internal host, by setting the offset pointer to be greater than the number of hops defined in the loose hop list
Some operating systems will reverse source-routed traffic only to ports that are open, so LSRScan should be run against an open port. By default, LSRScan uses a destination port of 80. The source port and source IP addresses aren’t necessary (LSRScan selects a random source port and IP address), but they can be useful in some cases.
The-boption inserts IP addresses of hops before the user’s host in the source route list, and the-aoption inserts specific IP addresses after the user’s host in the list (although those hosts must support source route forwarding for the scan to be effective). For more information about the flags and options that can be parsed, consult the LSRScan man page. Example 4-10 shows LSRScan being run against a network block to identify hosts with source routing problems.
Example 4-10. Using LSRScan to identify source routing issues
$ lsrscan 217.53.62.0/24 217.53.62.0 does not reverse LSR traffic to it 217.53.62.0 does not forward LSR traffic through it 217.53.62.1 reverses LSR traffic to it 217.53.62.1 forwards LSR traffic through it 217.53.62.2 reverses LSR traffic to it 217.53.62.2 does not forward LSR traffic through it
Because some systems reverse the source route, spoofing attacks using LSRTunnel can be performed. Knowing that systems forward source-routed traffic, accurate details of internal IP addresses have to be determined so that port scans can be launched through fragroute to internal space.
LSRTunnel. LSRTunnel spoofs connections using source-routed packets. For the tool to work, the target host must reverse the source route (otherwise the user will not see the responses and be able to spoof a full TCP connection). LSRTunnel requires a spare IP address on the local subnet to use as a proxy for the remote host.
Running LSRTunnel with no options shows the usage syntax:
The proxy IP is an unused network address an attacker uses to proxy connections between her host and the target address. The spoofed IP address is the host that appears as the originator of the connection. For additional details, consult the LSRTunnel manual page.
In this example of LSRTunnel,192.168.102.2is on the same local subnet as the host:
At this point, LSRTunnel listens for traffic on the proxy IP (192.168.102.2). Using another system on the network, any scan or attack traffic sent to the proxy IP is forwarded to the target (217.53.62.2) and rewritten to appear as if it originated from relay2.ucia.gov (198.81.129.194).
