Firewall Wizards mailing list archives

Re: Odp: icmp scans

From: Salvatore Sanfilippo <antirez () seclab com>
Date: Thu, 12 Nov 1998 11:05:10 +0100

On Wed, Nov 11, 1998 at 04:28:36PM -0500, Chris Kostick wrote:


Why use ICMP or anything else?  It's obvious that if you've compromised a
machine to the level of the ICMP receiver function being changed, then IP
isn't too far away.  Just use the IP Identification field to transmit/receive
bytes.  This way you don't have to single out an application or protocol above
the network layer.
--
chris


Hi,
Yes, you can use only IP to perform this, but if you don't need a return
channel you can obtain some advantages using ICMP.
i.e. if the victim is A and you are B, you can send an ICMP|ECHOREQUEST to host
C spoofed from host A. The host B will reply to host A with an ICMP|ECHOREPLY
(that contain a copy of data field of request, carrier of your bytes). In this
way is very unlikely that you can be traced, specially if your fake deamon
identify the data through data field and you use as C random hosts ( i.e.
dialup windozes ).

anti

-- 
Salvatore Sanfilippo
Intesis SECURITY LAB            Phone: +39-02-671563.1
Via Settembrini, 35             Fax: +39-02-66981953
I-20124 Milano  ITALY           Email: antirez () seclab com

Current thread:

Odp: icmp scans Pawel Maciejewski (Nov 11)
- Re: Odp: icmp scans Gigi Sullivan (Nov 11)
- <Possible follow-ups>
- Re: Odp: icmp scans Chris Kostick (Nov 11)
  - Re: Odp: icmp scans Salvatore Sanfilippo (Nov 12)
  - Re: Odp: icmp scans Gigi Sullivan (Nov 12)
- Re: Odp: icmp scans Bob Acosta (Nov 12)
  - Re: Odp: icmp scans Gigi Sullivan (Nov 13)