Re: A tool for crafting ESP packets

From: samsi data (samsidata@hotmail.com)
Date: 11/26/01 

From: "samsi data" <samsidata@hotmail.com>
To: loki@fatelabs.com, nelson@tw-award.com, pen-test@securityfocus.com
Subject: Re: A tool for crafting ESP packets
Date: Mon, 26 Nov 2001 04:00:44 +0000
Message-ID: <F133GXKqZGdipqc1zkk0000dc39@hotmail.com>

Actually nmap does send malformd AH/ESP datagrams (or packets, not sure what
else you would call them). Well, sort of. Do a tcpdump while doing an nmap
IP Protocol scan and you will see zero length AH/ESP (IP protocol 51/50)
datagrams (as well as every other IP protocol between 0 and 255) being sent
to the target with the goal of eliciting an ICMP IP Protocol unreachable.

There was vulnerability in OpenBSD's IPSEC implementation where you could
crash the box with an Nmap IP Protocol scan that illustrates this issue. See
http://securityfocus.com/bid/1723

- s d

>
>Can you give me a URL to where it says NMAP crafts ESP packets, as I've
>read
>all through the documentation and man page. Also, AH isn't a "packet" it
>provides authentication mechanisms for IP datagrams and protection against
>replay attacks.
>
>RFC 2402:
>ftp://ftp.isi.edu/in-notes/rfc2402.txt
>
>Loki
>www.fatelabs.com
>
>
>
>
>On Saturday 24 November 2001 04:44 pm, Nelson Brito wrote:
> > I guess that the nmap BETA versions can send ESP, AH and a lot of
>anothers
> > protocol's packet.
> >
> > If you wanna do something differente, just like customize the packets,
>use
> > the power, read the code, LUKE.
> >
> > Sem mais,
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert
>(SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/
>

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • Re: A tool for crafting ESP packets
    ... A tool for crafting ESP packets ... If this is in fact not the case and nmap does generate fully compliant IPSec ... >>Can you give me a URL to where it says NMAP crafts ESP packets, ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: Firewall Scan
    ... don't think this is nmap getting confused as hping produces similar ... Try setting some TCP options. ... packets where the TCP header is 20 bytes. ... I was doing a normal TCP Scan on port 5900, when I found a strange result: ...
    (Pen-Test)
  • Re: Is my home computer at risk knowing that nmap says...
    ... nmap your "home system". ... Do the TTLs match what you expect? ... Thailand to know where to send those packets. ... Assuming your home system is Linux, ...
    (comp.os.linux.security)
  • RE: Firewall Scan
    ... Several firewall and IPS vendors now incorporate nmap signature detection ... it hits port 5900, your IP has been blocked for a short time....but, ... packets transmitted, 1 packets received, 0% packet loss ... Information Assurance Certification Review ...
    (Pen-Test)
  • Re: Firewall Scan
    ... This can help with systems that block ping and mix up Nmap. ... I was doing a normal TCP Scan on port 5900, when I found a strange result: ... packets transmitted, 1 packets received, 0% packet loss ... Information Assurance Certification Review Board ...
    (Pen-Test)