Source Route/Spoofed Source

From: Evrim ULU (evrim@envy.com.tr)
Date: Sun Apr 21 2002 - 10:41:19 EDT

• Next message: Dawes, Rogan (ZA - Johannesburg): "RE: UDP port scan results"
• Previous message: Greg: "RE: Password HTML form bruteforce"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

hi,

first message to pen-test =:/

i was trying to get behind my NAT but i've got some problems and people
here might know the reason.

schematic view of net is something like:

A (outsider) --- interface C of NAT ---- interface D of NAT ------ B
(unroutable client)
                                                            ------ E (another unroutable client)

i've enabled source routing via echo 1 >
proc/sys/net/ipv4/conf/all/accept_source_route on both NAT machine.
Client B is win98 SE so, it answers source routed packets. Btw, i've no
idea where to toggle this option in the registry.

Some useful info about NAT machine:

[root@evrim /root]# uname -a
Linux evrim 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown
[root@evrim /root]# ipchains -L -n
Chain forward (policy ACCEPT):
target prot opt source destination ports
MASQ all ------ net_at_the_inside/24 0.0.0.0/0 n/a

Then from outside i've sent some source routed ICMP echo request packets
using SING utility. Also, i've sniffed both interfaces of
NAT seperately.

here are attemps:
1.

./sing ip_of_C@ip_of_B

** ip_of_C@ip_of_B is the sing format which means first go to C and dst
is B.

I've seen that client B get requests having source addr of A and dst
address B . But then, i've seen that client B responded with replies
having destination ip addr of D which is the inner int of NAT machine.
So, no replies reached to the outsider A.

2.

./sing ip_of_C@ip_of_B -S ip_of_E

In this case, i've spoofed source addres using -S parameter and set the
source addr to E which is another client inside the nat. At the end, NAT
machine has converted the source ip to D which is the internal IP of NAT.

I thought it was due to mismatch of MAC addresses and spoofed the source
MAC address using -MAC parameter but the result didn't change.

and now the questions:

1. Why client B responds with a packet having destination ip of D?
(client B has default gw D but i mustn't be related with it it think)
2. why nat machine changed the spoofed source addr to its own internal ip?

Thnx.

-- 
Evrim ULU
evrim@envy.com.tr / evrim@core.gen.tr
sysadm
http://www.core.gen.tr
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Dawes, Rogan (ZA - Johannesburg): "RE: UDP port scan results"
• Previous message: Greg: "RE: Password HTML form bruteforce"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:20 EDT