On 20 Jul 2007 16:01:56 -0000, jasonisnow@gmail.com
<jasonisnow@gmail.com> wrote:
This is a long shot...
I have a situation where a user at a client is bypassing a proxy, changing his local routing table and internet browsing through a local modem, connected to a fax machine. Is there any way to to craft a packet to verify this is happening - stimulus/response type action? I've spoofed packets to see if he has his machine set up to auto-dial the modem when it sees traffic destined for a non-local subnet...
Going on when I worked at a uni - the default route was out towards
the Internet, so we'd see all sorts of random source addresses hitting
the firewall, especially 169.whatever, the ones that Windows picks
when it fails to DHCP.
If you sent an ICMP packet with spoofed source address[*] - outside
your network - you would expect it to go back towards the default
route. If someone is dialled out, or VPN'd out then you wouldn't
expect to see it again within your network.
If you own an external machine, spoof that as the source address -
then you can see if the reply does actually get to the machine, and
whether it's traversing your network or not.
Or have I missed the point?
cheers,
Jamie
[*] please don't use someone's actual address without permission!
--
Jamie Riden / jamesr@europe.com / jamie@honeynet.org.uk
UK Honeynet Project: http://www.ukhoneynet.org/
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
