From: juan.losada@empresas.telefonica.es
Date: Thu Jun 10 2004 - 09:26:53 EDT
I think the reason of the router behavior regarding traceroute is that if
you perform a traceroute with udp packets, if the udp destination port is closed
in the target host, then it will response with a ICMP "udp port unreacheable"
message. Taking into account that this ICMP message is not generated as an
answer for the previous udp packet, the source IP address of this packet will be
the IP address of the interface by which the packet is being sent.
However, if you perform the traceroute with ICMP packets, if the ICMP is
not filtered in the target router, this will respond with a ICMP "echo-reply"
packet. This ICMP packet will be generated as an answer for the previous ICMP
"echo-request" packet, so the router will use the destination IP adress in the
"echo-request" packet as the source IP address for this "echo-reply" packet.
I think that always that a router generates a packet, the source IP address
of this packet will be either:
A - If the packet is an answer for a previous packet, the source IP address
of the packet will be the destination IP address of that previous packet
B - If the packet is not an answer for a previous packet, the source IP
address of the packet will be the IP address of the interface by which the
packet is being sent. The only exceptions to this rule are those packets that
can be configured to be sent with a specific source IP address belonging to any
of the router interfaces (snmp traps, tacacs, tftp, etc). Anyway, I think the
ICMP packets generated by the router cannot be configured in this way (though
I´m not sure about this).
A good test to verify this behavior is to perform a traceroute with a udp
destination port that you know is open in the target router (the UDP 161 port,
for example, if the router has SNMP and the access-lists allows you to reach
that port).
Regards,
Juanjo.
"James Fields" <jvfields@tds.net> con fecha 08/06/2004 23:55:14
Destinatarios: pen-test@securityfocus.com
CC: (cci: Juan Jose Losada Marcos/TDE)
Asunto: Re: Traceroutes to Cisco Routers
Is this with all Cisco routers? You can set certain types of packets (I
believe ICMP is such a case) to always be sourced from a particular
interface.
----- Original Message -----
From: "Dieter Sarrazyn" <dsr@ascure.com>
To: <pen-test@securityfocus.com>
Sent: Saturday, June 05, 2004 6:55 AM
Subject: Traceroutes to Cisco Routers
Hi all,
While performing pentests, I noticed some (strange) behaviour with
tracerouting to cisco routers.
Performing the trace with udp packets (default on linux), the router
answers with it's ip address of the interface closest to you (external
interface of the router).
Performing traces with icmp (-I flag in linux, default in windows), the
router answers with it's ip address that you are tracing to (mostlikely
the internal interface of the router).
Anybody noticed this behaviour as well?
Has somebody an explanation for this?
Regards,
Dieter
________________________________________________________________________________________
Este mensaje ha sido analizado y protegido por la tecnologia antivirus
www.trendmicro.es
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:55 EDT