Full Disclosure mailing list archives
Re: ICMP Covert channels question
From: Stian Øvrevåge <sovrevage () gmail com>
Date: Wed, 2 Feb 2005 18:12:50 +0100
Hi cyberpixl! It's fascinating how you can bounce traffic and information by using stateless protocols and fake source addresses. However, you are not really hiding yourself, on packets leaving an internal network, destined for the bouncer, will contain your source address and vica verca. Don't you think it's a little strange if packets with source address 88.88.88.88 was leaving your 10.0.0.0 network? Or packets from 10.0.0.33 was comming in on the WAN interface? Also, packet filtering is based on router configuration. More and more administrators are filtering packets with unexpected source and/or destination addresses ( ingress and egress filtering ). My conclusion is, bouncing packets does not help hiding you, in fact, it does just the opposite. The level of technical challenges are also increasing. On Sun, 30 Jan 2005 15:24:02 +0100, cyberpixl <cyberpixl () gmail com> wrote:
No, because non-routeable addresses are...well....non-routeable. The only exception to this is *if* the target machine already had a session going with 33.33.33.33 (and it would obviously be nat'd/pat'd) there is a snort time frame within with your icmp packet would be delivered because the firewall is still translating the address/port for that session. Of course you have to know in advance all those variables, so, since you're sitting right there, just pound the dern thing with a hammer and be done with it. :-) Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.eduWell, what i meant was what if i use the networks router as a bounce host in order to get the packets into the network? If an icmp packet arrives at routers wan port with a source ip of an internal host will it send the echoreply to its lan port? I currently haven't got the chance to test this, but i will as soon as i can. Then, in order to receive replyes from the host behind the firewall all I'd have to do is make it send packets to a bounce server outsede the network, like google.com with source set to my ip (assuming then that the router freely allows icmp traffic out of the network). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: ICMP Covert channels question Stian Øvrevåge (Feb 02)
- Re: ICMP Covert channels question Valdis . Kletnieks (Feb 02)
- Re: ICMP Covert channels question Kevin (Feb 02)
- Re: ICMP Covert channels question Valdis . Kletnieks (Feb 02)