Full Disclosure mailing list archives
Re: Verizon Wireless DNS Tunneling
From: James Wright <jamfwright () gmail com>
Date: Fri, 7 Oct 2011 10:36:39 -0400
That would probably explain why the Comcast service page downloads an executable to authenticate you. At that point they have control over the end user's machine and can either clear the DNS cache or force a reboot. Their (Comcast, other traditional ISP's) authentication is a bit static and works until real service disruption, which is generally rare. Though it would seem that Verizon would do similar. Either the phone is a paid data subscriber or they are not. If not, all traffic is blocked or DNS is hijacked to display the reason for non-Internet connectivity. I do not know their system though, so I could be overly simplifying this. Thanks, James On Fri, Oct 7, 2011 at 10:31 AM, Dan Kaminsky <dan () doxpara com> wrote:
Yeah, the problem is the bad data doesn't flush after authentication. So you try to go to Google, you're redirected to 10.0.0.1, you get authenticated, but the browser still tries to go to 10.0.0.1. You try handling those support calls. So instead most places give you real DNS, and hijack at IP/TCP. On Fri, Oct 7, 2011 at 7:26 AM, James Wright <jamfwright () gmail com> wrote:Actually, yes, they could provide bad data. I believe (perhaps erroneously) that Comcast does this. Probably other service providers do too. Until you are authenticated to use their network you are redirected to a service page that can help authenticate you. If you have connectivity issues (like bad cached DNS entries) after authenticating you are to reboot (or otherwise clear the local DNS cache). I don't really see why Verizon could not do similar. All DNS traffic from an unauthenticated user/machine would be redirected to a DNS server that only returned the appropriate service page. Most or all other traffic would be blocked. Much like NAC. Thanks, James On Fri, Oct 7, 2011 at 10:05 AM, Dan Kaminsky <dan () doxpara com> wrote:One major reason it sticks around is -- what are you supposed to do, return bad data until the user is properly logged in? It might get cached -- and while operating systems respect TTL, browsers most assuredly do not ("well, it MIGHT take us somewhere good"). It's not like there's a magic off switch that makes this go away. On Fri, Oct 7, 2011 at 4:56 AM, Marshall Whittaker < marshallwhittaker () gmail com> wrote:Yes, I've found that DNS tunneling works well at the college I go to on their WIFI. I've never gotten ICMP tunneling to work myself (outside of a virtual machine), but I have some code laying around somewhere that can do it just in case I need it for something sometime. Just thought it would be interesting to some people that it works on such a large provider as Verizon. The only problem with it that I see is that it's quite slow. But if it works, so be it. Good for checking email and browsing the web and such on the road. But I wouldn't try to torrent a linux distro with it, haha. --oxagast On Fri, Oct 7, 2011 at 7:39 AM, BH <lists () blackhat bz> wrote:This comes in handy when travelling, I also found a few places where ICMP tunnelling works well. On 7/10/2011 6:35 PM, Dan Kaminsky wrote: Works mostly everywhere. It's apparently enough of a pain in the butt to deal with, and abused so infrequently, that it's left alone. On Fri, Oct 7, 2011 at 3:32 AM, Marshall Whittaker < marshallwhittaker () gmail com> wrote:I recently noticed that you can tunnel TCP through DNS (I used iodine) to penetrate Verizon Wireless' firewall. You can connect, and if you can hold the connection long enough to make a DNS tunnel, then the connection stays up, then use SSH -D to create a proxy server for your traffic. Bottom line is, you can use the internet without paying. I made a video of it. It can be seen here: http://www.youtube.com/user/Oxagast?blend=2&ob=5#p/u/0/X6oWESQMVd8 I tried to contact Verizon on their security blog about it a few weeks ago at http://securityblog.verizonbusiness.com/ however, I have not had a response. This technique still works as of this posting. Maybe this will help them get their act together ;-) --oxagast _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Verizon Wireless DNS Tunneling Marshall Whittaker (Oct 07)
- Re: Verizon Wireless DNS Tunneling Dan Kaminsky (Oct 07)
- Re: Verizon Wireless DNS Tunneling BH (Oct 07)
- Re: Verizon Wireless DNS Tunneling Marshall Whittaker (Oct 07)
- Re: Verizon Wireless DNS Tunneling Dan Kaminsky (Oct 07)
- Re: Verizon Wireless DNS Tunneling James Wright (Oct 07)
- Re: Verizon Wireless DNS Tunneling Dan Kaminsky (Oct 07)
- Re: Verizon Wireless DNS Tunneling James Wright (Oct 07)
- Re: Verizon Wireless DNS Tunneling Valdis . Kletnieks (Oct 07)
- Re: Verizon Wireless DNS Tunneling Terrence (Oct 07)
- Re: Verizon Wireless DNS Tunneling Valdis . Kletnieks (Oct 07)
- Re: Verizon Wireless DNS Tunneling James Wright (Oct 07)
- Re: Verizon Wireless DNS Tunneling James Wright (Oct 07)
- Re: Verizon Wireless DNS Tunneling xD 0x41 (Oct 07)
- Re: Verizon Wireless DNS Tunneling BH (Oct 07)
- Re: Verizon Wireless DNS Tunneling Dan Kaminsky (Oct 07)
- Re: Verizon Wireless DNS Tunneling Hartley, Christopher (Oct 07)
- Re: Verizon Wireless DNS Tunneling Dan Kaminsky (Oct 07)
- Re: Verizon Wireless DNS Tunneling Marshall Whittaker (Oct 07)
- Re: Verizon Wireless DNS Tunneling Valdis . Kletnieks (Oct 07)