That was certainly a useful email. On Thu, Jul 1, 2010 at 9:42 PM, Dan Kaminsky <[email protected]> wrote: > I would not object to posts on Full-Disclosure along the lines of "nmap -sV > crashes x device". Unauthenticated remote permanent DoS's from standard > network scanning tools are certainly legitimate findings, and if this gives > more power to the QA guy in $NETWORKVENDOR, all the better. > > On Thu, Jul 1, 2010 at 10:27 PM, Cor Rosielle <[email protected]> wrote: >> >> Hi Thierry, >> >> I agree this is a vulnerability. I also want to clear up an apparent >> misunderstanding: I don't tell not to scan with -sV, but to be careful >> because it is a dangerous switch that is known to sometimes crash >> devices. When you are testing a target, you have to know your tools and >> this is one of the characteristics of nmap. >> >> When testing, there are often some alternatives to choose from. And if >> the objective is to find out if there are any vulnerabilities in a host, >> then nmap -sV is one of the tools in the toolbox you can use. But if you >> just want to know the version of SNMP running, like Shang did, you just >> might want to choose another tool. (I would have used something like: >> for HOST in $(cat file.with.hosts); do snmpget -v 1 -c community-string >> $HOST sysDescr.0; done >> to find out if SNMP v1 was supported). >> >> Regards, >> Cor >> >> >> On Thu, 2010-07-01 at 11:28 +0200, Thierry Zoller wrote: >> > Hi Shang, >> > >> > If this is possible you have found a vulnerability. Any way to >> > remotely cause DoS with special or harmless code is per se a >> > vulnerability. >> > >> > Instead of telling somebody to not scan with -sV you are better of >> > reporting the vulnerability (ies) >> > >> > Regards, >> > Thierry >> > >> > coc> During my training classes I always tell the -sV switch is >> > coc> dangerous and known to (sometimes) crash the target. >> > >> > coc> Usually a better tool to test open udp ports is unicornscan, but >> > coc> that doesn't have a switch like -iL. Since you are testing your >> > coc> own devices and you know the community string, you could insider >> > coc> to loop through the list of IP's and snmpget a value from the MIB. >> > >> > coc> Cor >> > >> > coc> sent from a mobile device >> > >> > >> > coc> ----Origineel bericht---- >> > coc> Van: Shang Tsung >> > coc> Verzonden: 30-06-2010 13:03:32 >> > coc> Onderw.: Should nmap cause a DoS on cisco routers? >> > >> > coc> Hello, >> > >> > coc> Some days ago, I had the task to discover the SNMP version that our >> > coc> servers and networking devices use. So I run nmap using the >> > following >> > coc> command: >> > >> > coc> nmap -sU -sV -p 161-162 -iL target_file.txt >> > >> > coc> This command was supposed to use UDP to probe ports 161 and 162, >> > which >> > coc> are used for SNMP and SNMP Trap respectively, and return the SNMP >> > coc> version. >> > >> > coc> This "innocent" command caused most networking devices to crash and >> > coc> reboot, causing a Denial of Service attack and bringing down the >> > coc> network. >> > >> > coc> Now my question is.. Should this had happened? Can nmap bring the >> > whole >> > coc> network down from one single machine? >> > >> > coc> Is this a configuration error of the networking devices? >> > >> > coc> This is scary... >> > >> > coc> Shang Tsung >> > >> > >> > >> > >> > >> > >> > coc> >> > >> > coc> >> > ------------------------------------------------------------------------ >> > coc> This list is sponsored by: Information Assurance Certification >> > Review Board >> > >> > coc> Prove to peers and potential employers without a doubt that you >> > coc> can actually do a proper penetration test. IACRB CPT and CEPT >> > coc> certs require a full practical examination in order to become >> > certified. >> > >> > coc> http://www.iacertification.org >> > coc> >> > ------------------------------------------------------------------------ >> > >> > >> > coc> _______________________________________________ >> > coc> Full-Disclosure - We believe in it. >> > coc> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > coc> Hosted and sponsored by Secunia - http://secunia.com/ >> > >> > >> > >> > >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
