mailing list archives
Re: [PEN-TEST] IP Tunneling over DNS
From: BMM <bmm () MINDER NET>
Date: Mon, 11 Sep 2000 17:04:30 -0400
It would be less complicated and more comprimising to just do a "ssh -R"
to forward a port on an external host/port to local port 23. The traffic
coming back in through the tunnel would be nearly identical to a "normal"
ssh session, and the remote port could be vulnerable to probing by third
parties. One could also ppp over ssh of course, but this would most
likely require priviledged access to the local host.
On Mon, 11 Sep 2000, Dunker, Noah wrote:
I caught an employee at a customer site using his RedHat workstation to get
back in through the firewall. He was using "rtelnet", which is a cheesy tcl
(I kid you not) script that connects to a pre-determined IP address's
listening port (you listen on that machine with netcat. It tries every <nn>
seconds to connect to that port, and when it does, it asks for a passwd.
upon password matching, you can fee dthe firewalled internal machine
commands almost as if you were in a telnet session (anyone ever seen the
port-shell'd /bin/sh in inetd.conf? It works a lot like that.)...
The hard part is finding machines that are running programs such as this
one, because of the simple fact that they don't open a listening port.
Programs such as these must be found through passive means (I found the
suspicious machine while sniffing, messed with the router, and assumed the
IP of the machine it was trying to connect to, and discovered it that way.)
bmm () minder net 1024/8C7C4DE9
- Re: [PEN-TEST] IP Tunneling over DNS, (continued)