Network Security Tools by Nitesh Dhanjani, Justin Clarke

NASL provides an API for constructing network packets to probe for specific vulnerabilities that require unique network packets to be forged. In this section, we will look at the teardrop.nasl plug-in which uses a packet-forging API provided by NASL to perform a “teardrop” attack against the target host. To launch a teardrop attack, two types of UDP packets are sent repeatedly to the host. The first UDP packet contains the IP_MF (More Fragments) flag in its IP header, which signifies that the packet has been broken into other fragments that will arrive independently. The IP offset of the first UDP packet is set to 0, and the length field of the IP header is set to 56. The second packet does not have the IP_MF flag set in its IP header, and it contains an offset of 20. The second UDP packet’s IP length is set to 23. Note that these packets are erroneous because the second UDP packet overlaps with the first, but it’s smaller in size than the first packet. Hosts susceptible to this attack are known to crash while attempting to realign fragmented packets of unequal length.be found at http://www.insecure.org/sploits/linux.fragmentation.teardrop.html.

# # This script was written by Renaud Deraison <deraison@cvs.nessus.org> # # See the Nessus Scripts License for details # if(description) { script_id(10279); script_version ("$Revision: 1.2 $"); script_bugtraq_id(124); script_cve_id("CAN-1999-0015"); name["english"] = "Teardrop"; name["francais"] ...