I have not seen many posts regarding fragroute. I read the paper detailing the theory behind the attack and looks very promising unless of course this attack vector is already incorporated by IDS/IPS vendors.
I tried scanning one of my lab machines with nmap and fragroute sitting in between rewritting and fragmenting the traffic. The target was a windows xp machine with its default firewall on (no third party anti virus or protection). Scanning without fragroute showed open ports, yet with the fragroute setup everything was shown as filtered.
Frgroute options used:
Tcp_seg 1 new
Ip_frag 24
Ip_chaff dup
order random
print
I dont understand is fragmented traffic is supposed to be recreated by a host not dropped.
Am i missing something?
Fragroute
Started by
SmilingBuddha
, Jun 27 2010 01:01 PM
3 replies to this topic
#2
tekio
-
- Binrev Financier
-
- 1,033 posts
5(R1P7 |<1DD13
- Gender:Male
- Location:The Blue Nowhere
Posted 28 June 2010 - 01:09 AM
Should you be using the -B1 switch to tell fragroute to forward the traffic?
EDIT:
using fragroute to exploit stateful inspection has been fixed by most modern firewalls. Also, nmap has (or had) a -f option for fragmenting.
EDIT:
using fragroute to exploit stateful inspection has been fixed by most modern firewalls. Also, nmap has (or had) a -f option for fragmenting.
Edited by tekio, 28 June 2010 - 01:13 AM.
#3
SmilingBuddha
-
- Members
-
- 8 posts
Will I break 10 posts?
- Gender:Male
Posted 28 June 2010 - 03:14 AM
Should you be using the -B1 switch to tell fragroute to forward the traffic?
EDIT:
using fragroute to exploit stateful inspection has been fixed by most modern firewalls. Also, nmap has (or had) a -f option for fragmenting.
Thanx for the reply, you seem too be the only one reading my posts
.gif)
.Well, when i ran fragroute with the options mentioned above, the target (192.168.1.10) is receiving packets confirmed using packet capture at target. Also all firewalls and Antivirus is turned off at the target, so its a pretty open. Yet every port appears filtered.
#4
tekio
-
- Binrev Financier
-
- 1,033 posts
5(R1P7 |<1DD13
- Gender:Male
- Location:The Blue Nowhere
Posted 28 June 2010 - 04:25 AM
When nmap dispositions a port as filtered (I'm assuming your doing a syn scan, correct?), it means no ACK or RST was received from the host port being scanned. The port has not identified itself as either open or closed.
I think there are two things you might want to look at:
1) nmap is timing out, because using fragroute is taking longer than scanning the host directly. Read the nmap manual @ insecure.org. There is a an option to set the timeout nmap waits for a response from the host in the timing and performance section of the manual. You also might want to try <-T paranoid|sneaky|polite|>. paranoid will really slow the scan rate down, while the -T polite option will slow it down a little less.
2) fragroute, for some reason, is not returning anything to nmap. Sorry, cannot help here, but it can be verified by looking at traffic w/Wireshark..... If you don't see anything coming from the fragroute host back to the nmap scanning host there is a problem here.
I think there are two things you might want to look at:
1) nmap is timing out, because using fragroute is taking longer than scanning the host directly. Read the nmap manual @ insecure.org. There is a an option to set the timeout nmap waits for a response from the host in the timing and performance section of the manual. You also might want to try <-T paranoid|sneaky|polite|>. paranoid will really slow the scan rate down, while the -T polite option will slow it down a little less.
2) fragroute, for some reason, is not returning anything to nmap. Sorry, cannot help here, but it can be verified by looking at traffic w/Wireshark..... If you don't see anything coming from the fragroute host back to the nmap scanning host there is a problem here.
BinRev is hosted by the great people at Lunarpages!
