[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKpcs8R7z0Z8tU82tJC64Sey9C7k==2dfon_CxV3YrBpiFeAQA@mail.gmail.com>
Date: Fri, 7 Oct 2011 10:36:39 -0400
From: James Wright <jamfwright@...il.com>
To: Dan Kaminsky <dan@...para.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Verizon Wireless DNS Tunneling
That would probably explain why the Comcast service page downloads an
executable to authenticate you. At that point they have control over the
end user's machine and can either clear the DNS cache or force a reboot.
Their (Comcast, other traditional ISP's) authentication is a bit static and
works until real service disruption, which is generally rare. Though it
would seem that Verizon would do similar. Either the phone is a paid data
subscriber or they are not. If not, all traffic is blocked or DNS is
hijacked to display the reason for non-Internet connectivity.
I do not know their system though, so I could be overly simplifying this.
Thanks,
James
On Fri, Oct 7, 2011 at 10:31 AM, Dan Kaminsky <dan@...para.com> wrote:
> Yeah, the problem is the bad data doesn't flush after authentication. So
> you try to go to Google, you're redirected to 10.0.0.1, you get
> authenticated, but the browser still tries to go to 10.0.0.1. You try
> handling those support calls. So instead most places give you real DNS, and
> hijack at IP/TCP.
>
> On Fri, Oct 7, 2011 at 7:26 AM, James Wright <jamfwright@...il.com> wrote:
>
>> Actually, yes, they could provide bad data. I believe (perhaps
>> erroneously) that Comcast does this. Probably other service providers do
>> too. Until you are authenticated to use their network you are redirected to
>> a service page that can help authenticate you. If you have connectivity
>> issues (like bad cached DNS entries) after authenticating you are to reboot
>> (or otherwise clear the local DNS cache).
>>
>> I don't really see why Verizon could not do similar. All DNS traffic from
>> an unauthenticated user/machine would be redirected to a DNS server that
>> only returned the appropriate service page. Most or all other traffic would
>> be blocked. Much like NAC.
>>
>>
>> Thanks,
>> James
>>
>>
>>
>> On Fri, Oct 7, 2011 at 10:05 AM, Dan Kaminsky <dan@...para.com> wrote:
>>
>>> One major reason it sticks around is -- what are you supposed to do,
>>> return bad data until the user is properly logged in? It might get cached
>>> -- and while operating systems respect TTL, browsers most assuredly do not
>>> ("well, it MIGHT take us somewhere good").
>>>
>>> It's not like there's a magic off switch that makes this go away.
>>>
>>> On Fri, Oct 7, 2011 at 4:56 AM, Marshall Whittaker <
>>> marshallwhittaker@...il.com> wrote:
>>>
>>>> Yes, I've found that DNS tunneling works well at the college I go to on
>>>> their WIFI. I've never gotten ICMP tunneling to work myself (outside of a
>>>> virtual machine), but I have some code laying around somewhere that can do
>>>> it just in case I need it for something sometime. Just thought it would be
>>>> interesting to some people that it works on such a large provider as
>>>> Verizon. The only problem with it that I see is that it's quite slow. But
>>>> if it works, so be it. Good for checking email and browsing the web and
>>>> such on the road. But I wouldn't try to torrent a linux distro with it,
>>>> haha.
>>>>
>>>> --oxagast
>>>>
>>>> On Fri, Oct 7, 2011 at 7:39 AM, BH <lists@...ckhat.bz> wrote:
>>>>
>>>>> This comes in handy when travelling, I also found a few places where
>>>>> ICMP tunnelling works well.
>>>>>
>>>>>
>>>>> On 7/10/2011 6:35 PM, Dan Kaminsky wrote:
>>>>>
>>>>> Works mostly everywhere. It's apparently enough of a pain in the butt
>>>>> to deal with, and abused so infrequently, that it's left alone.
>>>>>
>>>>> On Fri, Oct 7, 2011 at 3:32 AM, Marshall Whittaker <
>>>>> marshallwhittaker@...il.com> wrote:
>>>>>
>>>>>> I recently noticed that you can tunnel TCP through DNS (I used iodine)
>>>>>> to penetrate Verizon Wireless' firewall. You can connect, and if you can
>>>>>> hold the connection long enough to make a DNS tunnel, then the connection
>>>>>> stays up, then use SSH -D to create a proxy server for your traffic. Bottom
>>>>>> line is, you can use the internet without paying. I made a video of it. It
>>>>>> can be seen here:
>>>>>> http://www.youtube.com/user/Oxagast?blend=2&ob=5#p/u/0/X6oWESQMVd8 I
>>>>>> tried to contact Verizon on their security blog about it a few weeks ago at
>>>>>> http://securityblog.verizonbusiness.com/ however, I have not had a
>>>>>> response. This technique still works as of this posting. Maybe this will
>>>>>> help them get their act together ;-)
>>>>>>
>>>>>> --oxagast
>>>>>>
>>>>>> _______________________________________________
>>>>>> Full-Disclosure - We believe in it.
>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists