Penetration Testing mailing list archives
Re: [PEN-TEST] IP Tunneling over DNS
From: "Dunker, Noah" <NDunker () FISHNETSECURITY COM>
Date: Mon, 11 Sep 2000 14:03:48 -0500
I caught an employee at a customer site using his RedHat workstation to get back in through the firewall. He was using "rtelnet", which is a cheesy tcl (I kid you not) script that connects to a pre-determined IP address's listening port (you listen on that machine with netcat. It tries every <nn> seconds to connect to that port, and when it does, it asks for a passwd. upon password matching, you can fee dthe firewalled internal machine commands almost as if you were in a telnet session (anyone ever seen the port-shell'd /bin/sh in inetd.conf? It works a lot like that.)... It's very true, if the firewall allows all sorts of outgoing connections, and it's statefully inspected, then it's possible for an internal host to connect out, and ASK for information. letting you "reply", and it accepts the "reply" as a command. Even applications such as yahoo messenger do this (when put in firewall/proxy-less mode). It requests information via port 80, and queries the yahoo server every <nn> seconds, asking if there are any new messages or if any of my friends have gotten online. The hard part is finding machines that are running programs such as this one, because of the simple fact that they don't open a listening port. Programs such as these must be found through passive means (I found the suspicious machine while sniffing, messed with the router, and assumed the IP of the machine it was trying to connect to, and discovered it that way.) After I reported this activity, I'm sure the fellow had a rather bad day... :) --Noah Dunker -----Original Message----- From: Christopher M. Bergeron [mailto:ChrisB () HGSS COM] Sent: Monday, September 11, 2000 12:06 PM To: PEN-TEST () SECURITYFOCUS COM Subject: IP Tunneling over DNS I just read an interesting post at slashdot: http://slashdot.org/article.pl?sid=00/09/10/2230242&mode=thread theoretically, someone from inside a secure network could tunnel out (ala Trojan) to punch a major hole through a firewall. Am I understanding this correctly?
Current thread:
- [PEN-TEST] IP Tunneling over DNS Christopher M. Bergeron (Sep 11)
- Re: [PEN-TEST] IP Tunneling over DNS Jose Nazario (Sep 11)
- Re: [PEN-TEST] IP Tunneling over DNS Work, Clinton (Sep 12)
- Re: [PEN-TEST] IP Tunneling over DNS Mark Shlimovich (Sep 12)
- Re: [PEN-TEST] IP Tunneling over DNS Pawel Maciejewski (Sep 12)
- Re: [PEN-TEST] IP Tunneling over DNS matthew patton (Sep 12)
- Re: [PEN-TEST] IP Tunneling over DNS Work, Clinton (Sep 12)
- Re: [PEN-TEST] IP Tunneling over DNS Jonathan Rickman (Sep 11)
- Re: [PEN-TEST] IP Tunneling over DNS Mordechai Ovits (Sep 11)
- Re: [PEN-TEST] IP Tunneling over DNS Andre Delafontaine (Sep 12)
- <Possible follow-ups>
- Re: [PEN-TEST] IP Tunneling over DNS Dunker, Noah (Sep 11)
- Re: [PEN-TEST] IP Tunneling over DNS Mordechai Ovits (Sep 12)
- Re: [PEN-TEST] IP Tunneling over DNS BMM (Sep 12)
- Re: [PEN-TEST] IP Tunneling over DNS Eric Thiel (Sep 12)
- Re: [PEN-TEST] IP Tunneling over DNS Teicher, Mark (Sep 12)
- Re: [PEN-TEST] IP Tunneling over DNS Wolfgang Zenker (Sep 12)
- Re: [PEN-TEST] IP Tunneling over DNS Peter Van Epp (Sep 12)
- Re: [PEN-TEST] IP Tunneling over DNS Jose Nazario (Sep 11)