Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shang:

(x-posting to full-disclosure as it looks like those guys over
there
are having a bit of a philosophical discussion over this ;))

Hi there. My name is Dario Ciccarone and I work as an Incident
Manager on the Cisco PSIRT - Product Security Incident Response Team.

Your post has certainly caught our attention - indeed, if
running an
nmap scan (no matter which specific command-line options were in use)
against a Cisco device makes it crash, we're certainly interested in
knowing more.

In order to follow-up on this, we would greatly appreciate if
you
could send us:

* a "show tech" from one or more of the affected devices -
specially
if those are different kind of devices (switches, routers, firewalls,
etc)

* if you've been able to collect any crashinfo files - those
would
also come handy

* if you have any console output/syslog messages/traceback
information coming from any of the affected devices

* the specific nmap version you're using

If you could send all of that to psirt@xxxxxxxxx (if possible,
encrypted with the PSIRT GPG public key -
http://www.cisco.com/en/US/products/products_security_vulnerability_po
licy.html#roosfassv) we would look right into it.

Much appreciated,
Dario

Dario Ciccarone <dciccaro@xxxxxxxxx>
Incident Manager - CCIE #10395
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
PGP Key ID: 0xBA1AE0F0
http://www.cisco.com/go/psirt

This email may contain confidential and privileged material for the
sole use of the intended recipient. Any review, use, distribution or
disclosure by others is strictly prohibited. If you are not the
intended recipient (or authorized to receive for the recipient),
please contact the sender by reply email and delete all copies of
this message.

For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Shang Tsung
Sent: Wednesday, June 30, 2010 7:04 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Should nmap cause a DoS on cisco routers?

Hello,

Some days ago, I had the task to discover the SNMP version that our
servers and networking devices use. So I run nmap using the
following command:

nmap -sU -sV -p 161-162 -iL target_file.txt

This command was supposed to use UDP to probe ports 161 and
162, which
are used for SNMP and SNMP Trap respectively, and return the SNMP
version.

This "innocent" command caused most networking devices to crash and
reboot, causing a Denial of Service attack and bringing down the
network.

Now my question is.. Should this had happened? Can nmap bring
the whole
network down from one single machine?

Is this a configuration error of the networking devices?

This is scary...

Shang Tsung








--------------------------------------------------------------
----------
This list is sponsored by: Information Assurance
Certification Review Board

Prove to peers and potential employers without a doubt that
you can actually do a proper penetration test. IACRB CPT and
CEPT certs require a full practical examination in order to
become certified.

http://www.iacertification.org
--------------------------------------------------------------
----------


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBTCzeYYyVGB+6GuDwEQJDLwCfZnGVaFoSfPFaWDm7D3m8PQsmXxQAnjNO
Te6wTi7vHSzhsLMQLSq0uwql
=V0CQ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • RE: Should nmap cause a DoS on cisco routers?
    ... nmap scan ... I had the task to discover the SNMP version that our ... servers and networking devices use. ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Should nmap cause a DoS on cisco routers?
    ... This command was supposed to use UDP to probe ports 161 and 162, which are used for SNMP and SNMP Trap respectively, and return the SNMP version. ... This "innocent" command caused most networking devices to crash and reboot, causing a Denial of Service attack and bringing down the network. ... Can nmap bring the whole network down from one single machine? ...
    (Pen-Test)
  • Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
    ... During my training classes I always tell the -sV switch is dangerous and known to crash the target. ... Van: Shang Tsung ... I had the task to discover the SNMP version that our ... servers and networking devices use. ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Should nmap cause a DoS on cisco routers?
    ... and this wasn't even a very intense Nmap scan (see ... crappy networking devices, please talk to Hewlett-Packard! ... That is HP JetDirect (TCP ports ... immediate feedback about HP printer problems that we "temporarily" ...
    (Full-Disclosure)
  • RE: net_address and MAC address
    ... I ran the command. ... The 2 agree exactly on my servers. ... no other networking devices like 802.11x, DSL modems etc connected to the ...
    (microsoft.public.sqlserver.programming)