lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d43c8d1b05012906587f4e5358@mail.gmail.com>
From: michael4447 at gmail.com (Michael Rutledge)
Subject: Transamericana.org

Actually, I forgot about this discussion going on (message thread
"[Full-Disclosure] ICMP Covert channels question")

It seems cyberpixl is doing research creating a covert channel using
icmp packets.  Since ping uses ICMP, maybe he is playing on your box. 
:)

-Michael


On Fri, 28 Jan 2005 23:45:00 +0100, cyberpixl <cyberpixl@...il.com> wrote:
> I've been doing some research on creating covert channels using icmp
> packets and a bounce server and so far everything worked fine. I can
> contact my web server through a bounce server outside of my network
> (like www.google.com or whatever). In my current setup both client and
> target are located in the same network and comunicate through the
> bounce server using icmp packets.
> 
> Now, would it be possible to access a server behind a firewall, that
> normally isn't accessable, using this technique, if i'm outside of the
> target network?
> 
> Assume there is a local machine (our target) with ip 192.168.0.2 that
> is connected to the internet using a router 192.168.0.1/88.88.88.88
> (that is not blocking icmp packets) and my machine is say,
> 33.33.33.33. If i then send an icmp packet to the 88.88.88.88 router
> with source ip set to 192.168.0.2, would it forward that packet to the
> host in its local network, or will it discard it? Is there any way to
> deliver my packet to that local machine?
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 



On Sat, 29 Jan 2005 08:53:31 -0600, Michael Rutledge
<michael4447@...il.com> wrote:
> This may be a stretch (a large stretch), but someone could have
> planted something on your Windows box that is using pings as a covert
> channel (given that person has also taken control of the webserver
> that hosts transamericana.org and can watch the connection logs).  Do
> you have a capture of the pings for someone to do a frequency analysis
> on?
> 
> Also, you may want to post a list of your currently running processes
> in hopes someone may spot something that looks wrong.
> 
> -Michael
> 
> On Sat, 29 Jan 2005 12:03:39 +0000, Antonio Henrique Oliveira
> <tat@...tmark.net> wrote:
> > Gregh wrote:
> > > ----- Original Message -----
> > > From: "Antonio Henrique Oliveira" <tat@...tmark.net>
> > > To: <full-disclosure@...ts.netsys.com>
> > > Sent: Saturday, January 29, 2005 9:46 PM
> > > Subject: [Full-Disclosure] Transamericana.org
> > >
> > >
> > >
> > >>Dear all,
> > >>
> > >>Please excuse me if this is a bit off-topic, but since this is the only
> > >>IT related mailing list I subscribe (apart from Secunia's) I decided to
> > >>post here.
> > >>
> > >>From sometime ago (I cannot determine exactly when this started to
> > >>happen), my workstation (WinXP SP2 PT, fully patched) has been sending
> > >>out ping requests to www.transamericana.org when I login to the machine
> > >>(right at the beginning of the login process, and only at that time).
> > >>
> > >
> > >
> > > Perchance is your DNS hosted there? Eg, your ISP's DNS servers?
> > >
> > > Greg.
> > No. The Linux box runs bind for the internal (and external) networks and
> > does direct queries to the root servers, not using our ISP's DNS. The
> > internal network is configured with DHCP and the DNS server for all
> > hosts is set to the linux box internal address. Also, my workstation
> > (and there are 5 more) is the only one doing this.
> >
> > Regards,
> > --
> > Anto'nio Henrique A. Proenca de Oliveira
> >
> > "Although we can never go back, like an old sweet song with a strong
> > refrain, memories remain" - (Someone)
> >
> > Please avoid sending me Word or PowerPoint attachments.
> > See http://www.fsf.org/philosophy/no-word-attachments.html
> > $Id: .signature,v 1.3 2004/07/14 08:08:10 tat Exp tat $
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>

Powered by blists - more mailing lists