Re: Hping2, packet crafting question...

["Jamie Riden" <jamie.riden () gmail com>]

On 20 Jul 2007 16:01:56 -0000, jasonisnow () gmail com
<jasonisnow () gmail com> wrote:
> This is a long shot...
>
>
> I have a situation where a user at a client is bypassing a proxy, changing his local routing table and internet browsing 
> through a local modem, connected to a fax machine. Is there any way to to craft a packet to verify this is happening - 
> stimulus/response type action? I've spoofed packets to see if he has his machine set up to auto-dial the modem when it 
> sees traffic destined for a non-local subnet...

Going on when I worked at a uni - the default route was out towards
the Internet, so we'd see all sorts of random source addresses hitting
the firewall, especially 169.whatever, the ones that Windows picks
when it fails to DHCP.

If you sent an ICMP packet with spoofed source address[*] - outside
your network - you would expect it to go back towards the default
route. If someone is dialled out, or VPN'd out then you wouldn't
expect to see it again within your network.

If you own an external machine, spoof that as the source address -
then you can see if the reply does actually get to the machine, and
whether it's traversing your network or not.

Or have I missed the point?

cheers,
Jamie

[*] please don't use someone's actual address without permission!
--
Jamie Riden / jamesr () europe com / jamie () honeynet org uk
UK Honeynet Project: http://www.ukhoneynet.org/

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------