Re: [Full-Disclosure] ICMP Covert channels question

From: cyberpixl (cyberpixl_at_gmail.com)
Date: 01/30/05

  • Next message: morning_wood: "Re: [Full-Disclosure] Is there a 0day vuln in this phisher's site?" 
    Date: Sun, 30 Jan 2005 15:24:02 +0100
To: Paul Schmehl <pauls@utdallas.edu>

    >
    > No, because non-routeable addresses are...well....non-routeable. The only
    > exception to this is *if* the target machine already had a session going
    > with 33.33.33.33 (and it would obviously be nat'd/pat'd) there is a snort
    > time frame within with your icmp packet would be delivered because the
    > firewall is still translating the address/port for that session.
    >
    > Of course you have to know in advance all those variables, so, since you're
    > sitting right there, just pound the dern thing with a hammer and be done
    > with it. :-)
    >
    > Paul Schmehl (pauls@utdallas.edu)
    > Adjunct Information Security Officer
    > The University of Texas at Dallas
    > AVIEN Founding Member
    > http://www.utdallas.edu
    >

    Well, what i meant was what if i use the networks router as a bounce
    host in order to get the packets into the network? If an icmp packet
    arrives at routers wan port with a source ip of an internal host will
    it send the echoreply to its lan port? I currently haven't got the
    chance to test this, but i will as soon as i can. Then, in order to
    receive replyes from the host behind the firewall all I'd have to do
    is make it send packets to a bounce server outsede the network, like
    google.com with source set to my ip (assuming then that the router
    freely allows icmp traffic out of the network).
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: morning_wood: "Re: [Full-Disclosure] Is there a 0day vuln in this phisher's site?"

    Relevant Pages

    • Re: Site configuration for remote offices
      ... Network issues were the problem. ... it sends a ICMP packet that is larger than 1024. ... >> I ran gpresult against one of the remote workstations and received this ... >> I've doubled checked the DNS settings and they are correct. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)
      ... will not even TALK about firewalking! ... >> Blocking/droping any ICMP packet usually turns into a real nightmare ... >> when you've to perform troubleshooting on a wide network. ...
      (Incidents)
    • how to allow host unreachable need to frag ICMP messages in to my network?
      ... I would like to use pf to block most of ICMP packet, but only allow host ... unreachable need to frag ICMP messages in to my network. ...
      (comp.unix.bsd.openbsd.misc)
    • Re: One computer cant see the other.
      ... I'm not sure I'm doing this right Steve, but on the command prompt at my host ... command prompt on my host machine and my client machine when I ping the host. ... network of two computers. ... The most likely problem is that a firewall (Norton, McAfee, ZoneAlarm, ...
      (microsoft.public.windowsxp.network_web)
    • Re: XP Pro Network Cant ping 192.168.0.1
      ... Proir to that my network work just fine ... >and I was using remote desktop from the host to my tablet. ... I can ping any of the computers on the 192.168.0.x subnet excepting ... >matter if I firewall the local subnet or not, ...
      (microsoft.public.windowsxp.network_web)