Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Verizon Wireless DNS Tunneling

From: Marshall Whittaker <marshallwhittaker () gmail com>
Date: Fri, 7 Oct 2011 19:18:15 -0300
I suppose now that I think about it, it would also be possible to write a
program for your cell phone to do this (to get access from the phone alone,
without a computer tethered).  I don't know enough about cell phone
programming to do it myself though.

On Fri, Oct 7, 2011 at 4:51 PM, Dan Kaminsky <dan () doxpara com> wrote:


You never know what you'll be breaking, but you always know you'll be
paying for support calls.


On Fri, Oct 7, 2011 at 12:38 PM, Hartley, Christopher <hartley.87 () osu edu>wrote:


I would think that at minimum, thresholds could be set on how many names
to resolve, and permitted types for unauthenticated users.  Prohibit NULL
and TXT records for unauthenticated hosts - or just whitelist A and CNAMEs,
reject others.  Reject the 50th (or whatever) query from an unauthenticated
host/user... I don't think NACs are using DNS tricks in the main anymore
anyway.  They shouldn't be...  there are much better ways.

That said, I'm happy for this condition to exist permanently so long as
I'm not responsible for the traffic.


On Oct 7, 2011, at 10:26 AM, James Wright wrote:

Actually, yes, they could provide bad data.  I believe (perhaps
erroneously) that Comcast does this.  Probably other service providers do
too.  Until you are authenticated to use their network you are redirected to
a service page that can help authenticate you.  If you have connectivity
issues (like bad cached DNS entries) after authenticating you are to reboot
(or otherwise clear the local DNS cache).

I don't really see why Verizon could not do similar.  All DNS traffic from
an unauthenticated user/machine would be redirected to a DNS server that
only returned the appropriate service page.  Most or all other traffic would
be blocked.  Much like NAC.


Thanks,
James


On Fri, Oct 7, 2011 at 10:05 AM, Dan Kaminsky <dan () doxpara com> wrote:


One major reason it sticks around is -- what are you supposed to do,
return bad data until the user is properly logged in?  It might get cached
-- and while operating systems respect TTL, browsers most assuredly do not
("well, it MIGHT take us somewhere good").

It's not like there's a magic off switch that makes this go away.

On Fri, Oct 7, 2011 at 4:56 AM, Marshall Whittaker <
marshallwhittaker () gmail com> wrote:


Yes, I've found that DNS tunneling works well at the college I go to on
their WIFI.  I've never gotten ICMP tunneling to work myself (outside of a
virtual machine),  but I have some code laying around somewhere that can do
it just in case I need it for something sometime.  Just thought it would be
interesting to some people that it works on such a large provider as
Verizon.  The only problem with it that I see is that it's quite slow.  But
if it works, so be it.  Good for checking email and browsing the web and
such on the road.  But I wouldn't try to torrent a linux distro with it,
haha.

--oxagast

On Fri, Oct 7, 2011 at 7:39 AM, BH <lists () blackhat bz> wrote:


 This comes in handy when travelling, I also found a few places where
ICMP tunnelling works well.


On 7/10/2011 6:35 PM, Dan Kaminsky wrote:

Works mostly everywhere.  It's apparently enough of a pain in the butt
to deal with, and abused so infrequently, that it's left alone.

On Fri, Oct 7, 2011 at 3:32 AM, Marshall Whittaker <
marshallwhittaker () gmail com> wrote:


I recently noticed that you can tunnel TCP through DNS (I used iodine)
to penetrate Verizon Wireless' firewall.  You can connect, and if you can
hold the connection long enough to make a DNS tunnel, then the connection
stays up, then use SSH -D to create a proxy server for your traffic. Bottom
line is, you can use the internet without paying. I made a video of it.  It
can be seen here:
http://www.youtube.com/user/Oxagast?blend=2&ob=5#p/u/0/X6oWESQMVd8 I
tried to contact Verizon on their security blog about it a few weeks ago at
http://securityblog.verizonbusiness.com/ however, I have not had a
response.  This technique still works as of this posting.  Maybe this will
help them get their act together ;-)

 --oxagast

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: