lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4E905EB5.3050000@infosecurity.ch> Date: Sat, 08 Oct 2011 16:31:17 +0200 From: "Fabio Pietrosanti (naif)" <lists@...osecurity.ch> To: full-disclosure@...ts.grok.org.uk Subject: Re: Verizon Wireless DNS Tunneling On 10/7/11 12:32 PM, Marshall Whittaker wrote: > I recently noticed that you can tunnel TCP through DNS (I used iodine) > to penetrate Verizon Wireless' firewall. When people avoid publicly saying stuff like this, that kind of hacks live for much longer time. Still iodine, when not used with direct raw socket but using resolver as a relay, DOES NOT randomize source port. That means that it's blocked by most statefull firewall like Cisco PIX that, for a specific DNS session, doesn't allow you to do more than X query every minutes. For example UK T-Mobile doing DNS stateful inspection, basically allow you to make "dns tunnelled traffic" for 2-3 seconds every minute. Probably because on the "virtual UDP/DNS session" there is a limit of "how many query can be done within 60s". If iodine would randomize the source port for the DNS query, it would probably works also in such conditions. -naif _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists