| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 01 Jul 2010 22:27:48 +0200 From: Cor Rosielle <cor@...post24.com> To: Thierry Zoller <Thierry@...ler.lu> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Should nmap cause a DoS on cisco routers? Hi Thierry, I agree this is a vulnerability. I also want to clear up an apparent misunderstanding: I don't tell not to scan with -sV, but to be careful because it is a dangerous switch that is known to sometimes crash devices. When you are testing a target, you have to know your tools and this is one of the characteristics of nmap. When testing, there are often some alternatives to choose from. And if the objective is to find out if there are any vulnerabilities in a host, then nmap -sV is one of the tools in the toolbox you can use. But if you just want to know the version of SNMP running, like Shang did, you just might want to choose another tool. (I would have used something like: for HOST in $(cat file.with.hosts); do snmpget -v 1 -c community-string $HOST sysDescr.0; done to find out if SNMP v1 was supported). Regards, Cor On Thu, 2010-07-01 at 11:28 +0200, Thierry Zoller wrote: > Hi Shang, > > If this is possible you have found a vulnerability. Any way to > remotely cause DoS with special or harmless code is per se a > vulnerability. > > Instead of telling somebody to not scan with -sV you are better of > reporting the vulnerability (ies) > > Regards, > Thierry > > coc> During my training classes I always tell the -sV switch is > coc> dangerous and known to (sometimes) crash the target. > > coc> Usually a better tool to test open udp ports is unicornscan, but > coc> that doesn't have a switch like -iL. Since you are testing your > coc> own devices and you know the community string, you could insider > coc> to loop through the list of IP's and snmpget a value from the MIB. > > coc> Cor > > coc> sent from a mobile device > > > coc> ----Origineel bericht---- > coc> Van: Shang Tsung > coc> Verzonden: 30-06-2010 13:03:32 > coc> Onderw.: Should nmap cause a DoS on cisco routers? > > coc> Hello, > > coc> Some days ago, I had the task to discover the SNMP version that our > coc> servers and networking devices use. So I run nmap using the following > coc> command: > > coc> nmap -sU -sV -p 161-162 -iL target_file.txt > > coc> This command was supposed to use UDP to probe ports 161 and 162, which > coc> are used for SNMP and SNMP Trap respectively, and return the SNMP > coc> version. > > coc> This "innocent" command caused most networking devices to crash and > coc> reboot, causing a Denial of Service attack and bringing down the > coc> network. > > coc> Now my question is.. Should this had happened? Can nmap bring the whole > coc> network down from one single machine? > > coc> Is this a configuration error of the networking devices? > > coc> This is scary... > > coc> Shang Tsung > > > > > > > coc> > > coc> ------------------------------------------------------------------------ > coc> This list is sponsored by: Information Assurance Certification Review Board > > coc> Prove to peers and potential employers without a doubt that you > coc> can actually do a proper penetration test. IACRB CPT and CEPT > coc> certs require a full practical examination in order to become certified. > > coc> http://www.iacertification.org > coc> ------------------------------------------------------------------------ > > > coc> _______________________________________________ > coc> Full-Disclosure - We believe in it. > coc> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > coc> Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists