FW: covert channel

["Murda Mcloud" <murdamcloud () bigpond com>]

Hi, I think you should be able to do tcpdump -i eth0 -vvv -x icmp and get
what you want.
I just tried this on a windows machine with windump and it worked.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of urandom character special device
Sent: Wednesday, January 03, 2007 5:29 AM
To: security-basics () securityfocus com
Subject: covert channel

Hi

With "ping" I send the HEX value "FFE". When I running tcpdump I don't
see the HEX value (snap-lenght is hole packet)

# ping -c 1 -p FFE 192.168.111.111
PATTERN: 0xff0e
PING 192.168.111.111 (192.168.111.111) 56(84) bytes of data.
64 bytes from 192.168.111.111: icmp_seq=1 ttl=64 time=0.646 ms

--- 192.168.111.111 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.646/0.646/0.646/0.000 ms

# tcpdump -s0 -i eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:21:11.448937 IP 192.168.111.115 > 192.168.111.111: ICMP echo
request, id 12826, seq 1, length 64
20:21:11.449555 IP 192.168.111.111 > 192.168.111.115: ICMP echo reply,
id 12826, seq 1, length 64


---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------