Re: ICMP Covert channels question

[Darren Bounds <dbounds () intrusense com>]

In most cases 10/8, 192.168/16 and 172.16/12 are not routable across 
the Internet, although there are some exceptions.

However, if your packet does manage to reach it the destination 
network, traverse the firewall and hit it's target, you can be 
reasonably certain that the response, be it a TCP SYN-ACK,  an ICMP 
unreachable of some sort or just an ICMP echo reply, it will quite 
happily find it's way to the internal host whom you spoofed for review.


Thanks,

Darren Bounds
Intrusense LLC.

--
Intrusense - Securing Business As Usual


On Jan 28, 2005, at 5:45 PM, cyberpixl wrote:

> I've been doing some research on creating covert channels using icmp
> packets and a bounce server and so far everything worked fine. I can
> contact my web server through a bounce server outside of my network
> (like www.google.com or whatever). In my current setup both client and
> target are located in the same network and comunicate through the
> bounce server using icmp packets.
>
> Now, would it be possible to access a server behind a firewall, that
> normally isn't accessable, using this technique, if i'm outside of the
> target network?
>
> Assume there is a local machine (our target) with ip 192.168.0.2 that
> is connected to the internet using a router 192.168.0.1/88.88.88.88
> (that is not blocking icmp packets) and my machine is say,
> 33.33.33.33. If i then send an icmp packet to the 88.88.88.88 router
> with source ip set to 192.168.0.2, would it forward that packet to the
> host in its local network, or will it discard it? Is there any way to
> deliver my packet to that local machine?
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html