Jump to content


Photo
- - - - -

Fragroute


  • Please log in to reply
3 replies to this topic

#1 SmilingBuddha

SmilingBuddha

    Will I break 10 posts?

  • Members
  • 8 posts
  • Gender:Male

Posted 27 June 2010 - 01:01 PM

I have not seen many posts regarding fragroute. I read the paper detailing the theory behind the attack and looks very promising unless of course this attack vector is already incorporated by IDS/IPS vendors.

I tried scanning one of my lab machines with nmap and fragroute sitting in between rewritting and fragmenting the traffic. The target was a windows xp machine with its default firewall on (no third party anti virus or protection). Scanning without fragroute showed open ports, yet with the fragroute setup everything was shown as filtered.

Frgroute options used:
Tcp_seg 1 new
Ip_frag 24
Ip_chaff dup
order random
print

I dont understand is fragmented traffic is supposed to be recreated by a host not dropped.
Am i missing something?

#2 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,102 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 28 June 2010 - 01:09 AM

Should you be using the -B1 switch to tell fragroute to forward the traffic?

EDIT:
using fragroute to exploit stateful inspection has been fixed by most modern firewalls. Also, nmap has (or had) a -f option for fragmenting.

Edited by tekio, 28 June 2010 - 01:13 AM.


#3 SmilingBuddha

SmilingBuddha

    Will I break 10 posts?

  • Members
  • 8 posts
  • Gender:Male

Posted 28 June 2010 - 03:14 AM

Should you be using the -B1 switch to tell fragroute to forward the traffic?

EDIT:
using fragroute to exploit stateful inspection has been fixed by most modern firewalls. Also, nmap has (or had) a -f option for fragmenting.


Thanx for the reply, you seem too be the only one reading my posts :).
Well, when i ran fragroute with the options mentioned above, the target (192.168.1.10) is receiving packets confirmed using packet capture at target. Also all firewalls and Antivirus is turned off at the target, so its a pretty open. Yet every port appears filtered.

#4 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,102 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 28 June 2010 - 04:25 AM

When nmap dispositions a port as filtered (I'm assuming your doing a syn scan, correct?), it means no ACK or RST was received from the host port being scanned. The port has not identified itself as either open or closed.

I think there are two things you might want to look at:
1) nmap is timing out, because using fragroute is taking longer than scanning the host directly. Read the nmap manual @ insecure.org. There is a an option to set the timeout nmap waits for a response from the host in the timing and performance section of the manual. You also might want to try <-T paranoid|sneaky|polite|>. paranoid will really slow the scan rate down, while the -T polite option will slow it down a little less.

2) fragroute, for some reason, is not returning anything to nmap. Sorry, cannot help here, but it can be verified by looking at traffic w/Wireshark..... If you don't see anything coming from the fragroute host back to the nmap scanning host there is a problem here.




BinRev is hosted by the great people at Lunarpages!