lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: sovrevage at gmail.com (Stian Øvrevåge)
Subject: ICMP Covert channels question

Hi cyberpixl!

It's fascinating how you can bounce traffic and information by using
stateless protocols and fake source addresses. However, you are not
really hiding yourself, on packets leaving an internal network,
destined for the bouncer, will contain your source address and vica
verca.

Don't you think it's a little strange if packets with source address
88.88.88.88 was leaving your 10.0.0.0 network? Or packets from
10.0.0.33 was comming in on the WAN interface?

Also, packet filtering is based on router configuration. More and more
administrators are filtering packets with unexpected source and/or
destination addresses ( ingress and egress filtering ).

My conclusion is, bouncing packets does not help hiding you, in fact,
it does just the opposite. The level of technical challenges are also
increasing.


On Sun, 30 Jan 2005 15:24:02 +0100, cyberpixl <cyberpixl@...il.com> wrote:
> >
> > No, because non-routeable addresses are...well....non-routeable.  The only
> > exception to this is *if* the target machine already had a session going
> > with 33.33.33.33 (and it would obviously be nat'd/pat'd) there is a snort
> > time frame within with your icmp packet would be delivered because the
> > firewall is still translating the address/port for that session.
> >
> > Of course you have to know in advance all those variables, so, since you're
> > sitting right there, just pound the dern thing with a hammer and be done
> > with it.  :-)
> >
> > Paul Schmehl (pauls@...allas.edu)
> > Adjunct Information Security Officer
> > The University of Texas at Dallas
> > AVIEN Founding Member
> > http://www.utdallas.edu
> >
> 
> Well, what i meant was what if i use the networks router as a bounce
> host in order to get the packets into the network? If an icmp packet
> arrives at routers wan port with a source ip of an internal host will
> it send the echoreply to its lan port? I currently haven't got the
> chance to test this, but i will as soon as i can. Then, in order to
> receive replyes from the host behind the firewall all I'd have to do
> is make it send packets to a bounce server outsede the network, like
> google.com with source set to my ip (assuming then that the router
> freely allows icmp traffic out of the network).
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ