Re: Odp: icmp scans

[Gigi Sullivan <sullivan () seclab com>]

Howdy there :)

On Wed, 11 Nov 1998, Pawel Maciejewski wrote:

> Date: Wed, 11 Nov 1998 15:25:52 +0100
> From: Pawel Maciejewski <laban () op onet pl>
> To: Neil Ratzlaff <Neil.Ratzlaff () ucop edu>, firewall-wizards () nfr net
> Cc: fw-1-mailinglist () lists us checkpoint com
> Subject: Odp: icmp scans
>
> Hello
>
>
> > 2.  Even if these packets made it through the firewall, I don't know what
> > it could get them other than confirmation of an existing machine.  Does
> > anyone know anything else they could do?
>
>
> Yeah, some types of ICMP packets can be used to establish emulated "telnet"
> connection and many more things.
> For further information read the "Loki" paper on
> http://www.infonexus.com/~daemon9/Projects/

Well, what are you talking about it's done *not* by *estabilish* a
connection, but it's done exploiting the "covert channel" IMHO. i.e.
route|daemon9 did a Project (Loki[1/2]) that exploits normal pings,
by inserting command into the ping's data portion.
Obviously there's a daemon on the other side that captures this ping and
perform some operations with these datas.
All this can provides to you a "shell", not interactive, but a sorta of
shell.

Please forgive me if I said "ping" and not icmp ECHO|ECHOREPLY.
It's possible to use almost every protocol to transport any kind of data.
The route's project is only [well done :)] an example imho.

> Greetings
>
> -= Signed =-
> -= Pawel Maciejewski =-
> -= e-mail : laban () op onet pl =-
> -= ICQ #10839029 =-
> ----------------------------------------
>    "Death comes to us all..."
> ----------------------------------------

Cheers,



                        -- gg sullivan



--
Lorenzo Cavallaro
Intesis SECURITY LAB            Phone: +39-02-671563.1
Via Settembrini, 35             Fax: +39-02-66981953
I-20124 Milano  ITALY           Email: sullivan () seclab com