On Wed, 2002-06-26 at 08:48, Dirk Koopman wrote: > There seems to be a "tool" about, which is somehow able to > detect valid rfc1918 addresses behind a NATed firewall and is spoofing > from addresses using random (usually non-existant) addresses from the > class C on the internet side of that firewall. i read about a tool last summer that would do an icmp scan through a firewall. i believe it sent icmp unreachable packets to the firewall destined for common ip addresses (10.0.0.1, 192.168.1.1, 172.16.1.1). the firewall would send another icmp unreachable packet back to the machine if the unroutable ip address wasn't alive (or something like that). once the intruder has a starting ip address, the rest is elementary. i remember this was around the same time xprobe was first announced (xprobe == icmp remote os detection). hth. -jon -- jonat_private || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus? www.divisionbyzero.com/pgp.html "You are in a twisty little maze of Sendmail rules, all confusing."
This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 10:53:39 PDT