Full Disclosure mailing list archives
Re: ICMP Covert channels question
From: cyberpixl <cyberpixl () gmail com>
Date: Sun, 30 Jan 2005 15:24:02 +0100
No, because non-routeable addresses are...well....non-routeable. The only exception to this is *if* the target machine already had a session going with 33.33.33.33 (and it would obviously be nat'd/pat'd) there is a snort time frame within with your icmp packet would be delivered because the firewall is still translating the address/port for that session. Of course you have to know in advance all those variables, so, since you're sitting right there, just pound the dern thing with a hammer and be done with it. :-) Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu
Well, what i meant was what if i use the networks router as a bounce host in order to get the packets into the network? If an icmp packet arrives at routers wan port with a source ip of an internal host will it send the echoreply to its lan port? I currently haven't got the chance to test this, but i will as soon as i can. Then, in order to receive replyes from the host behind the firewall all I'd have to do is make it send packets to a bounce server outsede the network, like google.com with source set to my ip (assuming then that the router freely allows icmp traffic out of the network). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ICMP Covert channels question cyberpixl (Jan 28)
- Re: ICMP Covert channels question Andrew Farmer (Jan 28)
- Re: ICMP Covert channels question Paul Schmehl (Jan 28)
- RE: ICMP Covert channels question lists-security (Jan 29)
- RE: ICMP Covert channels question Paul Schmehl (Jan 29)
- RE: ICMP Covert channels question lists-security (Jan 29)
- RE: ICMP Covert channels question lists-security (Jan 29)
- Re: ICMP Covert channels question cyberpixl (Jan 30)
- Re: ICMP Covert channels question Gadi Evron (Jan 28)
- <Possible follow-ups>
- Re: ICMP Covert channels question Darren Bounds (Jan 29)