Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: ICMP Covert channels question
From: Stian Øvrevåge <sovrevage () gmail com>
Date: Wed, 2 Feb 2005 18:12:50 +0100

Hi cyberpixl!

It's fascinating how you can bounce traffic and information by using
stateless protocols and fake source addresses. However, you are not
really hiding yourself, on packets leaving an internal network,
destined for the bouncer, will contain your source address and vica
verca.

Don't you think it's a little strange if packets with source address
88.88.88.88 was leaving your 10.0.0.0 network? Or packets from
10.0.0.33 was comming in on the WAN interface?

Also, packet filtering is based on router configuration. More and more
administrators are filtering packets with unexpected source and/or
destination addresses ( ingress and egress filtering ).

My conclusion is, bouncing packets does not help hiding you, in fact,
it does just the opposite. The level of technical challenges are also
increasing.


On Sun, 30 Jan 2005 15:24:02 +0100, cyberpixl <cyberpixl () gmail com> wrote:

No, because non-routeable addresses are...well....non-routeable.  The only
exception to this is *if* the target machine already had a session going
with 33.33.33.33 (and it would obviously be nat'd/pat'd) there is a snort
time frame within with your icmp packet would be delivered because the
firewall is still translating the address/port for that session.

Of course you have to know in advance all those variables, so, since you're
sitting right there, just pound the dern thing with a hammer and be done
with it.  :-)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


Well, what i meant was what if i use the networks router as a bounce
host in order to get the packets into the network? If an icmp packet
arrives at routers wan port with a source ip of an internal host will
it send the echoreply to its lan port? I currently haven't got the
chance to test this, but i will as soon as i can. Then, in order to
receive replyes from the host behind the firewall all I'd have to do
is make it send packets to a bounce server outsede the network, like
google.com with source set to my ip (assuming then that the router
freely allows icmp traffic out of the network).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault