[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Verizon Wireless DNS Tunneling
- To: James Wright <jamfwright@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Verizon Wireless DNS Tunneling
- From: Dan Kaminsky <dan@xxxxxxxxxxx>
- Date: Fri, 7 Oct 2011 07:31:29 -0700
Yeah, the problem is the bad data doesn't flush after authentication. So
you try to go to Google, you're redirected to 10.0.0.1, you get
authenticated, but the browser still tries to go to 10.0.0.1. You try
handling those support calls. So instead most places give you real DNS, and
hijack at IP/TCP.
On Fri, Oct 7, 2011 at 7:26 AM, James Wright <jamfwright@xxxxxxxxx> wrote:
> Actually, yes, they could provide bad data. I believe (perhaps
> erroneously) that Comcast does this. Probably other service providers do
> too. Until you are authenticated to use their network you are redirected to
> a service page that can help authenticate you. If you have connectivity
> issues (like bad cached DNS entries) after authenticating you are to reboot
> (or otherwise clear the local DNS cache).
>
> I don't really see why Verizon could not do similar. All DNS traffic from
> an unauthenticated user/machine would be redirected to a DNS server that
> only returned the appropriate service page. Most or all other traffic would
> be blocked. Much like NAC.
>
>
> Thanks,
> James
>
>
>
> On Fri, Oct 7, 2011 at 10:05 AM, Dan Kaminsky <dan@xxxxxxxxxxx> wrote:
>
>> One major reason it sticks around is -- what are you supposed to do,
>> return bad data until the user is properly logged in? It might get cached
>> -- and while operating systems respect TTL, browsers most assuredly do not
>> ("well, it MIGHT take us somewhere good").
>>
>> It's not like there's a magic off switch that makes this go away.
>>
>> On Fri, Oct 7, 2011 at 4:56 AM, Marshall Whittaker <
>> marshallwhittaker@xxxxxxxxx> wrote:
>>
>>> Yes, I've found that DNS tunneling works well at the college I go to on
>>> their WIFI. I've never gotten ICMP tunneling to work myself (outside of a
>>> virtual machine), but I have some code laying around somewhere that can do
>>> it just in case I need it for something sometime. Just thought it would be
>>> interesting to some people that it works on such a large provider as
>>> Verizon. The only problem with it that I see is that it's quite slow. But
>>> if it works, so be it. Good for checking email and browsing the web and
>>> such on the road. But I wouldn't try to torrent a linux distro with it,
>>> haha.
>>>
>>> --oxagast
>>>
>>> On Fri, Oct 7, 2011 at 7:39 AM, BH <lists@xxxxxxxxxxx> wrote:
>>>
>>>> This comes in handy when travelling, I also found a few places where
>>>> ICMP tunnelling works well.
>>>>
>>>>
>>>> On 7/10/2011 6:35 PM, Dan Kaminsky wrote:
>>>>
>>>> Works mostly everywhere. It's apparently enough of a pain in the butt
>>>> to deal with, and abused so infrequently, that it's left alone.
>>>>
>>>> On Fri, Oct 7, 2011 at 3:32 AM, Marshall Whittaker <
>>>> marshallwhittaker@xxxxxxxxx> wrote:
>>>>
>>>>> I recently noticed that you can tunnel TCP through DNS (I used iodine)
>>>>> to penetrate Verizon Wireless' firewall. You can connect, and if you can
>>>>> hold the connection long enough to make a DNS tunnel, then the connection
>>>>> stays up, then use SSH -D to create a proxy server for your traffic.
>>>>> Bottom
>>>>> line is, you can use the internet without paying. I made a video of it.
>>>>> It
>>>>> can be seen here:
>>>>> http://www.youtube.com/user/Oxagast?blend=2&ob=5#p/u/0/X6oWESQMVd8 I
>>>>> tried to contact Verizon on their security blog about it a few weeks ago
>>>>> at
>>>>> http://securityblog.verizonbusiness.com/ however, I have not had a
>>>>> response. This technique still works as of this posting. Maybe this will
>>>>> help them get their act together ;-)
>>>>>
>>>>> --oxagast
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/