Security Basics mailing list archives
Re: covert channel
From: Roman Shirokov <insecure () yandex ru>
Date: Fri, 12 Jan 2007 09:58:21 +0000
Hi, Tuesday, January 2, 2007, 7:28:32 PM, you wrote:
Hi
With "ping" I send the HEX value "FFE". When I running tcpdump I don't see the HEX value (snap-lenght is hole packet)
# ping -c 1 -p FFE 192.168.111.111 PATTERN: 0xff0e PING 192.168.111.111 (192.168.111.111) 56(84) bytes of data. 64 bytes from 192.168.111.111: icmp_seq=1 ttl=64 time=0.646 ms
--- 192.168.111.111 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.646/0.646/0.646/0.000 ms
# tcpdump -s0 -i eth0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 20:21:11.448937 IP 192.168.111.115 > 192.168.111.111: ICMP echo request, id 12826, seq 1, length 64 20:21:11.449555 IP 192.168.111.111 > 192.168.111.115: ICMP echo reply, id 12826, seq 1, length 64
You need to dump the whole packet and then look at DATA section, e.g. Dump of the whole packet, section data begins at 'dc 55' 0000 00 18 de c2 4c e7 00 18 8b 41 33 35 08 00 45 00 ....L....A35..E. 0010 00 54 00 00 40 00 40 01 24 87 0a 0a 01 03 0a 0a .T..@.@.$....... 0020 01 0c 08 00 e4 1c 22 0b 00 01 dc 55 a7 45 82 d3 ......"....U.E.. 0030 02 00 ff 0e ff 0e ff 0e ff 0e ff 0e ff 0e ff 0e ................ 0040 ff 0e ff 0e ff 0e ff 0e ff 0e ff 0e ff 0e ff 0e ................ 0050 ff 0e ff 0e ff 0e ff 0e ff 0e ff 0e ff 0e ff 0e ................ 0060 ff 0e Try to use tcpdump with flags -v -x -- Best regards, Roman Shirokov e-mail:insecure () yandex ru http://securitybox.org.ru If you have explorer.exe running then your machine is infected with Windows(TM) --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- covert channel urandom character special device (Jan 02)
- Re: covert channel Deian Stefan (Jan 04)
- Re: covert channel Roman Shirokov (Jan 15)
- <Possible follow-ups>
- FW: covert channel Murda Mcloud (Jan 04)