How to probe ip_forward option on remote hosts?

Mon, 11 Apr 2011 20:54:20 +0200
Tags: network

On a local network, I thought about a way to know if a remote host acts as a gateway or not. In other words, it remotely probes the "/proc/sys/net/ip_forward" file content (used to enable or disable IP forwarding). It can be useful if you join an unfamiliar network and wish to find out what is the default gateway.

The trick is done by sending an ICMP_ECHOREQUEST packet to an arbitrary host, and by forging the destination MAC address of the MAC header with the MAC address of the remote target. Thus, the packet will be first handled by the target.

Depending on how the target reacts, we can deduce if the remote host is a gateway or not:

I've implemented two PoCs. One in C and a very small one in Bash (that alters your system's ARP table instead of forging ICMP packets).

NOTE: Those PoCs won't work if the remote hosts has the redirect messages option disabled (net.ipv4.conf.all.send_redirects = 1) or it filters ICMP packet.