Security Basics mailing list archives
FW: covert channel
From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Wed, 3 Jan 2007 12:18:52 +1000
Hi, I think you should be able to do tcpdump -i eth0 -vvv -x icmp and get what you want. I just tried this on a windows machine with windump and it worked. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of urandom character special device Sent: Wednesday, January 03, 2007 5:29 AM To: security-basics () securityfocus com Subject: covert channel Hi With "ping" I send the HEX value "FFE". When I running tcpdump I don't see the HEX value (snap-lenght is hole packet) # ping -c 1 -p FFE 192.168.111.111 PATTERN: 0xff0e PING 192.168.111.111 (192.168.111.111) 56(84) bytes of data. 64 bytes from 192.168.111.111: icmp_seq=1 ttl=64 time=0.646 ms --- 192.168.111.111 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.646/0.646/0.646/0.000 ms # tcpdump -s0 -i eth0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 20:21:11.448937 IP 192.168.111.115 > 192.168.111.111: ICMP echo request, id 12826, seq 1, length 64 20:21:11.449555 IP 192.168.111.111 > 192.168.111.115: ICMP echo reply, id 12826, seq 1, length 64 --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- covert channel urandom character special device (Jan 02)
- Re: covert channel Deian Stefan (Jan 04)
- Re: covert channel Roman Shirokov (Jan 15)
- <Possible follow-ups>
- FW: covert channel Murda Mcloud (Jan 04)