Full Disclosure: Re: Verizon Wireless DNS Tunneling

["Hartley, Christopher" <hartley.87 () osu edu>]

I would think that at minimum, thresholds could be set on how many names to resolve, and permitted types for 
unauthenticated users.  Prohibit NULL and TXT records for unauthenticated hosts - or just whitelist A and CNAMEs, 
reject others.  Reject the 50th (or whatever) query from an unauthenticated host/user... I don't think NACs are using 
DNS tricks in the main anymore anyway.  They shouldn't be...  there are much better ways.

That said, I'm happy for this condition to exist permanently so long as I'm not responsible for the traffic.

On Oct 7, 2011, at 10:26 AM, James Wright wrote:

Actually, yes, they could provide bad data.  I believe (perhaps erroneously) that Comcast does this.  Probably other 
service providers do too.  Until you are authenticated to use their network you are redirected to a service page that 
can help authenticate you.  If you have connectivity issues (like bad cached DNS entries) after authenticating you are 
to reboot (or otherwise clear the local DNS cache).

I don't really see why Verizon could not do similar.  All DNS traffic from an unauthenticated user/machine would be 
redirected to a DNS server that only returned the appropriate service page.  Most or all other traffic would be 
blocked.  Much like NAC.


Thanks,
James


On Fri, Oct 7, 2011 at 10:05 AM, Dan Kaminsky <dan () doxpara com<mailto:dan () doxpara com>> wrote:
One major reason it sticks around is -- what are you supposed to do, return bad data until the user is properly logged 
in?  It might get cached -- and while operating systems respect TTL, browsers most assuredly do not ("well, it MIGHT 
take us somewhere good").

It's not like there's a magic off switch that makes this go away.

On Fri, Oct 7, 2011 at 4:56 AM, Marshall Whittaker <marshallwhittaker () gmail com<mailto:marshallwhittaker () gmail 
com>> wrote:
Yes, I've found that DNS tunneling works well at the college I go to on their WIFI.  I've never gotten ICMP tunneling 
to work myself (outside of a virtual machine),  but I have some code laying around somewhere that can do it just in 
case I need it for something sometime.  Just thought it would be interesting to some people that it works on such a 
large provider as Verizon.  The only problem with it that I see is that it's quite slow.  But if it works, so be it.  
Good for checking email and browsing the web and such on the road.  But I wouldn't try to torrent a linux distro with 
it, haha.

--oxagast

On Fri, Oct 7, 2011 at 7:39 AM, BH <lists () blackhat bz<mailto:lists () blackhat bz>> wrote:
This comes in handy when travelling, I also found a few places where ICMP tunnelling works well.


On 7/10/2011 6:35 PM, Dan Kaminsky wrote:
Works mostly everywhere.  It's apparently enough of a pain in the butt to deal with, and abused so infrequently, that 
it's left alone.

On Fri, Oct 7, 2011 at 3:32 AM, Marshall Whittaker <marshallwhittaker () gmail com<mailto:marshallwhittaker () gmail 
com>> wrote:
I recently noticed that you can tunnel TCP through DNS (I used iodine) to penetrate Verizon Wireless' firewall.  You 
can connect, and if you can hold the connection long enough to make a DNS tunnel, then the connection stays up, then 
use SSH -D to create a proxy server for your traffic. Bottom line is, you can use the internet without paying. I made a 
video of it.  It can be seen here: http://www.youtube.com/user/Oxagast?blend=2&ob=5#p/u/0/X6oWESQMVd8 I tried to 
contact Verizon on their security blog about it a few weeks ago at http://securityblog.verizonbusiness.com/ however, I 
have not had a response.  This technique still works as of this posting.  Maybe this will help them get their act 
together ;-)

--oxagast

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/