Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Promiscuous interface hacks?

From: Frank Knobbe <fknobbe () knobbeits com>
Date: 01 May 2003 21:50:24 -0500
On Thu, 2003-05-01 at 17:42, Paul Schmehl wrote:

But once the bo is exploited, even if a root shell is obtained, how does 
the attacker then "get to" that shell?  Since there's no IP associated with 
it, I'm having trouble understanding how the attacker could then proceed to 
exploit the box.



hehe... yeah, if the box doesn't have an IP address on that interface,
you would think that the attacker couldn't establish a session back to
himself. But there are a couple scenarios that seems plausible:

a) (The obvious one) The second NIC has an IP address for management of
the box. This this box is allowed to connect to the Internet, then the
attacker could establish a connection back to a waiting netcat or
something. So make sure that box is isolated and only allow Internet
access temporarily for rule updates etc.

b) No outbound access on second NIC, or no second NIC present. The
attacker, being able to launch code, could just assign an IP address to
the interface which didn't have an IP address before. Finding a free
address is trivial. The attacker, well or his code, just watches ARP
traffic, figures out what network range it is in and grabs an unused
address (similar to the detection LaBrea employs for finding unused
IP's). A read-only cable or Ethernet tap work wonders here.

c) This is one of my favorites because a lot of folks don't consider
this one: First NIC is on a tap, second NIC on the internal network, but
firewall does not allow it Internet access. Most likely DNS will work,
so there is always the chance to create a tunnel using valid DNS
queries. Attacker sends payload, IDS sniffs is, overflows, and code
executes. That code does DNS queries against records within the
attackers domain, and using the queries and results shovels data back
and forth.


There are all these possibilities.... but they are tricky. I bet you
that there is other, lower hanging fruit, to compromise a network :) 
However, one should not dismiss IP-less devices as safe. A tap or RO
cable is way more effective (try to find a hacker that can remotely hack
a cable back together :)

Cheers,
Frank


PS: Regarding your other email: No, I'm not aware of any white papers
etc.

Attachment: signature.asc
Description: This is a digitally signed message part

Previous By Date Next
Previous By Thread Next

Current thread: