Re: [Full-Disclosure] ICMP Covert channels question

From: cyberpixl (cyberpixl_at_gmail.com)
Date: 01/30/05

  • Next message: morning_wood: "Re: [Full-Disclosure] Is there a 0day vuln in this phisher's site?"
    Date: Sun, 30 Jan 2005 15:24:02 +0100
    To: Paul Schmehl <pauls@utdallas.edu>
    
    

    >
    > No, because non-routeable addresses are...well....non-routeable. The only
    > exception to this is *if* the target machine already had a session going
    > with 33.33.33.33 (and it would obviously be nat'd/pat'd) there is a snort
    > time frame within with your icmp packet would be delivered because the
    > firewall is still translating the address/port for that session.
    >
    > Of course you have to know in advance all those variables, so, since you're
    > sitting right there, just pound the dern thing with a hammer and be done
    > with it. :-)
    >
    > Paul Schmehl (pauls@utdallas.edu)
    > Adjunct Information Security Officer
    > The University of Texas at Dallas
    > AVIEN Founding Member
    > http://www.utdallas.edu
    >

    Well, what i meant was what if i use the networks router as a bounce
    host in order to get the packets into the network? If an icmp packet
    arrives at routers wan port with a source ip of an internal host will
    it send the echoreply to its lan port? I currently haven't got the
    chance to test this, but i will as soon as i can. Then, in order to
    receive replyes from the host behind the firewall all I'd have to do
    is make it send packets to a bounce server outsede the network, like
    google.com with source set to my ip (assuming then that the router
    freely allows icmp traffic out of the network).
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: morning_wood: "Re: [Full-Disclosure] Is there a 0day vuln in this phisher's site?"