Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Verizon Wireless DNS Tunneling

From: James Wright <jamfwright () gmail com>
Date: Fri, 7 Oct 2011 10:36:39 -0400
That would probably explain why the Comcast service page downloads an
executable to authenticate you.  At that point they have control over the
end user's machine and can either clear the DNS cache or force a reboot.

Their (Comcast, other traditional ISP's) authentication is a bit static and
works until real service disruption, which is generally rare.  Though it
would seem that Verizon would do similar.  Either the phone is a paid data
subscriber or they are not.  If not, all traffic is blocked or DNS is
hijacked to display the reason for non-Internet connectivity.

I do not know their system though, so I could be overly simplifying this.


Thanks,
James


On Fri, Oct 7, 2011 at 10:31 AM, Dan Kaminsky <dan () doxpara com> wrote:


Yeah, the problem is the bad data doesn't flush after authentication.  So
you try to go to Google, you're redirected to 10.0.0.1, you get
authenticated, but the browser still tries to go to 10.0.0.1.  You try
handling those support calls.  So instead most places give you real DNS, and
hijack at IP/TCP.

On Fri, Oct 7, 2011 at 7:26 AM, James Wright <jamfwright () gmail com> wrote:


Actually, yes, they could provide bad data.  I believe (perhaps
erroneously) that Comcast does this.  Probably other service providers do
too.  Until you are authenticated to use their network you are redirected to
a service page that can help authenticate you.  If you have connectivity
issues (like bad cached DNS entries) after authenticating you are to reboot
(or otherwise clear the local DNS cache).

I don't really see why Verizon could not do similar.  All DNS traffic from
an unauthenticated user/machine would be redirected to a DNS server that
only returned the appropriate service page.  Most or all other traffic would
be blocked.  Much like NAC.


Thanks,
James



On Fri, Oct 7, 2011 at 10:05 AM, Dan Kaminsky <dan () doxpara com> wrote:


One major reason it sticks around is -- what are you supposed to do,
return bad data until the user is properly logged in?  It might get cached
-- and while operating systems respect TTL, browsers most assuredly do not
("well, it MIGHT take us somewhere good").

It's not like there's a magic off switch that makes this go away.

On Fri, Oct 7, 2011 at 4:56 AM, Marshall Whittaker <
marshallwhittaker () gmail com> wrote:


Yes, I've found that DNS tunneling works well at the college I go to on
their WIFI.  I've never gotten ICMP tunneling to work myself (outside of a
virtual machine),  but I have some code laying around somewhere that can do
it just in case I need it for something sometime.  Just thought it would be
interesting to some people that it works on such a large provider as
Verizon.  The only problem with it that I see is that it's quite slow.  But
if it works, so be it.  Good for checking email and browsing the web and
such on the road.  But I wouldn't try to torrent a linux distro with it,
haha.

--oxagast

On Fri, Oct 7, 2011 at 7:39 AM, BH <lists () blackhat bz> wrote:


 This comes in handy when travelling, I also found a few places where
ICMP tunnelling works well.


On 7/10/2011 6:35 PM, Dan Kaminsky wrote:

Works mostly everywhere.  It's apparently enough of a pain in the butt
to deal with, and abused so infrequently, that it's left alone.

On Fri, Oct 7, 2011 at 3:32 AM, Marshall Whittaker <
marshallwhittaker () gmail com> wrote:


I recently noticed that you can tunnel TCP through DNS (I used iodine)
to penetrate Verizon Wireless' firewall.  You can connect, and if you can
hold the connection long enough to make a DNS tunnel, then the connection
stays up, then use SSH -D to create a proxy server for your traffic. Bottom
line is, you can use the internet without paying. I made a video of it.  It
can be seen here:
http://www.youtube.com/user/Oxagast?blend=2&ob=5#p/u/0/X6oWESQMVd8 I
tried to contact Verizon on their security blog about it a few weeks ago at
http://securityblog.verizonbusiness.com/ however, I have not had a
response.  This technique still works as of this posting.  Maybe this will
help them get their act together ;-)

 --oxagast

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/







_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: