Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ICMP spoofed source tunneling

from [Dave Paris] Network Security [Permanent Link]
Subject: Re: ICMP spoofed source tunneling
Date: Wed, 22 Sep 2004 15:24:02 -0400 
At the risk of possibly sinking my foot firmly into my mouth, it appears
that you've implemented an unimplemented feature of LOKI2 (circa 1997).
ref: http://www.phrack.org/show.php?p=51&a=6

If you look in the source at the link referenced, specifically the help() function, you'll find:

%s dest\t-  redirect to another client [ UNIMPLIMENTED ]\n",

Nifty none-the-less.

Kind Regards,
-dsp

Max Tulyev wrote:

ICMP spoofed source payload tunneling

I. ABSTRACT

Almost any device having IP stack with enabled ICMP can be used to be a tunnel redirector.

II. DESCRIPTION

Let's imagine in Net a hacker having his source server(S), destination
server(D), and a ip-capable device - victim(V). S sends to V spoofed ICMP
echo request packet containing IP source address of D, and the data in
Payload.

When V receiving that packet, it sends ICMP echo-reply packet to D, AND
FORWARDS TO D ALL DATA IN PAYLOAD!

Backward is the same.

I spent an only hour to write working exploit attaching this to Linux
tuntap
device...

III. ANALYSIS

Where it can be used?

1. Hacker have a victim traffic to that one cost lesser than to the World.
That way Victim will pay for traffic with other hacker's server.

2. Hacker have no access to the world at all, but have external server (D). For Victim can be used any neighbour device (I tried IP phone - it
works!) or even firewall or gateway! This can make a tunnel through a
server with completely disabled IP forwarding at all.

Very high probability of their attacks is in ISPs that gives a free access
to some networks (I know that situation exists in Ukraine - to UA Internet
Exchange access often is free and/or at higher speed, and in home Ethernet
networks almost all ISPs provides free access to their clients and local
resources).

IV. DETECTION
This can be detected by observing an anomally ICMP activity, and if you
have more than one network interfaces - by presence of spoofed packets
that can't be in certain interfaces. Or maybe by viewing your Internet
bill ;-)

V. WORKAROUND

Turning On reverse-path filtering and other antispoofed mechanisms. Limiting rates or even denying ICMP type 8 at all.







[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users to Modify Votes, Barry Fitzgerald
Next by Date:  MDKSA-2004:100 - Updated mpg123 packages fix vulnerabilities, Mandrake Linux Security Team
Previous by Thread:  Re: ICMP spoofed source tunneling, sin
Next by Thread:  Re: ICMP spoofed source tunneling, raiblehugo
Indexes:  [Date] [Thread] [Top] [All Lists]