Re: A tool for crafting ESP packets
From: Loki (loki@fatelabs.com)Date: 11/26/01
- Previous message: Emre Yildirim: "Re: A tool for crafting ESP packets"
- Maybe in reply to: Loki: "A tool for crafting ESP packets"
- Next in thread: Vitaly Osipov: "Re: A tool for crafting ESP packets"
- Next in thread: Loki: "Re: A tool for crafting ESP packets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200111260526.fAQ5QGV18098@pa-lnx01.fatelabs.com> From: Loki <loki@fatelabs.com> To: "samsi data" <samsidata@hotmail.com>, nelson@tw-award.com, pen-test@securityfocus.com Subject: Re: A tool for crafting ESP packets Date: Mon, 26 Nov 2001 00:26:15 -0500
SD--
Thank you for the much more detailed response regarding this matter. I found
it funny that none of the man pages on the nmap homepage listed anything in
regards to the keyword ESP. It looks like regarding that
vulnerability/advisory the packet does not in fact contain actual ESP or AH
headers, just the protocol number identifying it to be an ESP packet (in
effect causing OpenBSD to crash because it can not handle "empty" AH/ESP
packets.)
If this is in fact not the case and nmap does generate fully compliant IPSec
packets, please let me know as this is definately functonality none of my
other researchers, nor I, have ever seen in nmap.
P.S. If anyone has a tcpdump of those packets the AH/ESP packets nmap
apparently throws out, I'd love to see them. Guess I could just check it out
myself (heh). Laziness should be a sin.
Loki
www.fatelabs.com
On Sunday 25 November 2001 11:00 pm, samsi data wrote:
> Actually nmap does send malformd AH/ESP datagrams (or packets, not sure
> what else you would call them). Well, sort of. Do a tcpdump while doing an
> nmap IP Protocol scan and you will see zero length AH/ESP (IP protocol
> 51/50) datagrams (as well as every other IP protocol between 0 and 255)
> being sent to the target with the goal of eliciting an ICMP IP Protocol
> unreachable.
>
> There was vulnerability in OpenBSD's IPSEC implementation where you could
> crash the box with an Nmap IP Protocol scan that illustrates this issue.
> See http://securityfocus.com/bid/1723
>
> - s d
>
> >Can you give me a URL to where it says NMAP crafts ESP packets, as I've
> >read
> >all through the documentation and man page. Also, AH isn't a "packet" it
> >provides authentication mechanisms for IP datagrams and protection against
> >replay attacks.
> >
> >RFC 2402:
> >ftp://ftp.isi.edu/in-notes/rfc2402.txt
> >
> >Loki
> >www.fatelabs.com
> >
> >On Saturday 24 November 2001 04:44 pm, Nelson Brito wrote:
> > > I guess that the nmap BETA versions can send ESP, AH and a lot of
> >
> >anothers
> >
> > > protocol's packet.
> > >
> > > If you wanna do something differente, just like customize the packets,
> >
> >use
> >
> > > the power, read the code, LUKE.
> > >
> > > Sem mais,
> >
> >--------------------------------------------------------------------------
> >-- This list is provided by the SecurityFocus Security Intelligence Alert
> > (SIA)
> >Service. For more information on SecurityFocus' SIA service which
> >automatically alerts you to the latest security vulnerabilities please
> > see: https://alerts.securityfocus.com/
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: Emre Yildirim: "Re: A tool for crafting ESP packets"
- Maybe in reply to: Loki: "A tool for crafting ESP packets"
- Next in thread: Vitaly Osipov: "Re: A tool for crafting ESP packets"
- Next in thread: Loki: "Re: A tool for crafting ESP packets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
