Firewall Wizards mailing list archives
Re: Odp: icmp scans
From: Salvatore Sanfilippo <antirez () seclab com>
Date: Thu, 12 Nov 1998 11:05:10 +0100
On Wed, Nov 11, 1998 at 04:28:36PM -0500, Chris Kostick wrote:
Why use ICMP or anything else? It's obvious that if you've compromised a machine to the level of the ICMP receiver function being changed, then IP isn't too far away. Just use the IP Identification field to transmit/receive bytes. This way you don't have to single out an application or protocol above the network layer. -- chris
Hi, Yes, you can use only IP to perform this, but if you don't need a return channel you can obtain some advantages using ICMP. i.e. if the victim is A and you are B, you can send an ICMP|ECHOREQUEST to host C spoofed from host A. The host B will reply to host A with an ICMP|ECHOREPLY (that contain a copy of data field of request, carrier of your bytes). In this way is very unlikely that you can be traced, specially if your fake deamon identify the data through data field and you use as C random hosts ( i.e. dialup windozes ). anti -- Salvatore Sanfilippo Intesis SECURITY LAB Phone: +39-02-671563.1 Via Settembrini, 35 Fax: +39-02-66981953 I-20124 Milano ITALY Email: antirez () seclab com
Current thread:
- Odp: icmp scans Pawel Maciejewski (Nov 11)
- Re: Odp: icmp scans Gigi Sullivan (Nov 11)
- <Possible follow-ups>
- Re: Odp: icmp scans Chris Kostick (Nov 11)
- Re: Odp: icmp scans Salvatore Sanfilippo (Nov 12)
- Re: Odp: icmp scans Gigi Sullivan (Nov 12)
- Re: Odp: icmp scans Bob Acosta (Nov 12)
- Re: Odp: icmp scans Gigi Sullivan (Nov 13)