Slashdot Mirror
IP Tunneling Through Nameservers
But did you know that you can build up a fullfeatured and even bidirectional IP tunnel through Nameservers? Yes, that's right: "IP-over-DNS".
Using some toll free numbers which normally only allow outgoing packets to some few chosen servers, you can now surf the internet - completely and doing everything you could do with your normal, fullfeatured internet account. Microsoft has some of those restricted, toll free numbers.
The reason is: Most of these Microsoft PPP dialins allow you to use a Nameserver. And DNS lookups are just another kind of communication between a server and a client - the client asking for information to the nameserver known to him, the server which has been asked forwards the information to another nameserver or directly to the nameserver responsible for the asked information, and the now contacted server answering through the same path back.
That still sounds very useless for tunneling, but think about encapsulating the IP packets into nameserver requests, and the answer contains the traffic of the other direction. The request would look something like a hostname lookup to "KJhjh33.dd_2sT-XXT.dAAoi_f.mydnstunnel.org" (you see, the traffic is being encoded to represent legal hostnames), the answer contains the payload in a TXT record. That way you can build a fully functional IP tunnel.
You just need a client and a fake nameserver - making up the two communication endpoints.
It was tricky - the DNS protocol seems a little bit chaotic and it only allows packets of 512 bytes - so you have to fragment. And it uses UDP and not TCP - so you have to implement some mechanisms to ensure that the fragments are reassembled correctly (you see, you basically need a protocol which reimplements some features of IP and TCP). Additionally, the client can "contact" the fake nameserver everytime it wants to send traffic out - but the server is only able to answer, never to send on it's own. So you need some polling, if you want it really bidirectional.
We called the protocol used to achieve all this the "NSTX Protocol", meaning "Nameserver Transfer Protocol". The uglyness of the DNS protocol (just look at the headers: no alignment and no padding!) and the fact that we tried to use it in a way it really never was designed for (after all, remember that DNS is more like a phonebook than a communication facility) didn't make the design and implementation of NSTX easier at all.
But finally, we've done it. And with a toll-free Microsoft PPP dialin number in Germany (which of course only allows the download of some patches etc.) it worked - surprisingly stable and not even slow.
Think about it - many companies have "closed" networks which also don't allow outbound connections, but they have a nameserver in the same network that can resolve any hostname out there. That way you could also use the tunnel to establish a bidirectional communication path between the secured network and the outside world, where it wouldn't have been possible.
For everyone who likes to play around with this new kind of tunnel that probably only few persons have ever thought of, just take a look at http://nstx.dereference.de where you can find the full source code. It implements a client and a fake nameserver for both tunnel endpoints of an "IP-over-DNS"-tunnel. Both use the Linux Ethertap device for giving you a tunnel network interface. The server is a fake nameserver fully compliant to the DNS specifications and the client issues the requests, also using intelligent timing mechanisms for polling queued traffic from the server.
Maybe security managers in companies should look if they have nameservers in places where they better shouldn't have.
And maybe you also like the idea of using the internet using a toll free Microsoft dialin number, completely at no charge."
Maybe someone outta extend this and write a napster client that'll use DNS ... so it can get around napster blocks ... tho i guess it mite be a bit slow ... and you could really only use it for getting mp3s ... it still would be awesome.
/* Lobster Stick To Magnet!*/
Because it translates websites you could tell it to translate your favorite porn site. Then you'd be able to see porn even with the porn-blocker in place.
Yeah, well Microsoft only provides these free numbers for people to download updates, so they only need to contact Microsoft's servers. So there's no reason why their DNS would need to forward requests, or even be connected to the Internet.
I have a positive modifier on Troll. When I mod someone Troll their karma should go UP!
Additionally, you can tunnel a response by the binary encoded "yes/no" response - one bit at a time.
Perhaps you could squeeze more bits into the datastream by timing the delay in response.
Shit. Forgot a "yes" response will actually cost you money. But encoding your data into the response delay would still work.
OR - You could place a collect call back in reverse! I suppose you don't need a payphone to do this.
hahahaha. How cheap can you get?
Huh? What are you worried about? How would you get in trouble for running a piracy site that allows downloading from a server you own? If anything, people actually downloading warez and accessing the latest child-Pr0n on your server might get in trouble, but I don't see how you would.
- Steeltoe
http://www.debunkingskeptics.com/
The Email Bounce File System (EBFS)
It works like this: You break data up into 100k packets and send them to integrity@microsoft.com. You then have a program waiting for the bounces which picks them up when they come back (the bounced packets) and sends immediately sends them on again. Sure - the latency isn't wonderful, but it's infinitete bandwidth! And it even supports Raid-5.
Nice idea... but Microsoft doesn't bounce mail; if the email address doesn't exist, it just gets swallowed.
Simon
Coming soon - pyrogyra
There are situations like this anywhere...
For instance Inland Revenue (UK version of IRS) billed me £2.00 I paid by cheque happily knowing that it would cost them around £100 to process it....
Big companies and organisations are dumb. Basically this is because these days the computers run the humans.
The computers says: "we are owed £0.02, collect. Expense is irrelevant"
The operator says "Hm, more than my jobsworth to refuse to do that."
Sad really.
The secret of success is honesty and fair dealing. If you can fake those, you've got it made. (Marx)
You still need to register a domain name (in this case, mydnstunnel.org), and you need a DNS server with a permanent connection.
These things cost money.
Hands in my pocket
It's a Hack, in the classical sense. Of course it's a good thing.
Now that's REALLY good.
As a state gets corrupt, its laws multiply; the most corrupt states have the most numerous laws. (Tacitus, Annales 3:27)
But I managed to IP tunnel through spam. Seriously. You rely on a the laws of probability to ensure that a few people reply to the "remove me" link and inadvertently transfer data embedded in the message.
Clueless newbies on AOL become the wiring in your very own highly obfuscated communication link. Kind of interesting from a philosophical viewpoint - people literally becoming part of the machine.
Not very good ping times though....
That one didn't work for me exactly. It needed a little something in the while loop. After I added '' it worked great... here's my rendition:
:)
dig @138.195.138.195 goret.org. axfr | grep '^c..\..*A' | sort | cut -b5-36 | perl -e 'while(){print pack("H32",$_)}' | gzip -d
Neat way of distributing, I must say.
dig @138.195.138.195 goret.org. axfr | grep '^c..\..*A' | sort | cut -b5-36 | perl -e 'while(<>){print pack("H32",$_)}' | gzip -d
And now I see why it didn't come out right... ok, this one works (the '< and >' were being interpreted as HTML tags).
You're not making any sense... /. targets geeks and hackers mostly. If your dream is to develop enterprise web software on a Microsoft IIS/NT system, this is not the place for you.
It sounds to me like you're one of them programmers who went to school just to have a well-paying job. Let me ask you this: Do you have an Ethernet network in your house hooked up to the internet via DSL? Do you spend hours late at night reading source code to figure out how the heck a program works? Do you end up spending money on gizmos you dont really need just to take them apart and see how they work? Do you get a rush out of something you achieve and know it hasn't been done before? That's what hackers are all about. i believe that
Again, no hard feelings, but I think your frustration comes from not fitting in.
--------------
--------------
$_='hfflbwfsbhfzp vs';s/(^.{4})(.{7 })(.+$)/$3 $2 $1/
The company I work for recently started charging $0.25 for soda and juice. I laugh everytime I get one because with the fairly long walk to the machine, I get paid about $4.00 to get myself a refreshment. And now I have to go six times as often since I can't conveniently grab a six pack anymore. You gotta love people for the same reason you gotta love fish. Because they're stupid.
"they beam this information everywhere, all through the fucking air. You just gotta know how to grab it. Just got to know how to grab it." --Heat
I have a positive modifier on Troll. When I mod someone Troll their karma should go UP!
A slashdot semi-hidden-sid tunnel! It could easily be anonymous, and it could be encrypted too -- pretty neat, huh? The only problem is that you could only send one message every 70 seconds. But if you had a class C if IP addresses available you might be able to post faster.
--
The shareholder is always right.
Well, it could be useful while travelling if you have a high-bandwidth computer at home. And anyway, who wouldn't give up 97% of their bandwidth just to use up Microsoft's resources?
--
The shareholder is always right.
This sounds like a cool hack but
If you dial in from here in the united states the number the call was placed from will be loged.
Some fool will be dialing in from home, and the next thing that happens will be the man knocken on the door
Who owns your data?
Maybe Microsoft can bill the DNS server for the service.
You may have missed the Pigeon Tunnel as shown in RFC 2549.
Link Here.
See that "Preview" button?
"Knight Rider" LED mode on a DEC terminal keyboard - prolonged execution tended to lockup the workstation
IP over ICMP tunnel - done as a joke. You think IP over DNS is wicked...
TCP connection flash start hack - instantly steal the connection from any other machine on the same network.
NFS mass mounter - I actually locked up an AFS server with that one. (It's their own fault for using the AFS to NFS translator. Even Transarc runs when those words are spoken.)
SCSI-IP - Yes, that's actually doable.
dir-crusher - *grin* interesting utility to make huge directories. Eat someone's entire disk quota with a single empty directory. (That one almost killed an AFS server too.)
And my personal fav...
"NO CARRIER" ping - *evil grin* properly phrased ICMP echo packet with "+++ATH0" in it so the echo reply would hang up the user's modem. That doesn't work anymore -- modem speeds are too fast and most modems have a guard time. :-) And yes, those work at any speed and can lockup both user and ISP modems.)
(It's too bad I didn't know the SDL flash start codes for USR modems then
was that after the food service company or the software company?
That's not a "tunnel" per se. It's a protocol: Clay Tablet by Carrier Pigeon. Too bad they are an endangered species -- too many lost tablets I guess. *grin*
If you've never wasted time on a technical project solely because you wanted to see if you could do it, then you probably aren't that good of a geek anyway. I think most geeks have done some ludicrously unproductive things solely as mental exercises or even just as jokes. Who cares? If you want them to be productive then start a company and hire them. Until then, no, you're not their manager.
----------------------------
I did this as a joke years ago... old firewalls used to let ICMP traffic through unchecked. I might still have the changes to Linux *cough*1.0*cough* to do this.
search for http tunnel on freshmeat, can't be to hard...
This reminds me of the NCSU Telecommunications Office billing be for $0.00 - yes, -zero-. I threw it in the trash thinking nothing about writing them a check for $0.00. One week later I got a past due, pay this or we cut off your phone, bill again. I walked over to the Telecom office and wrote the b****es a check for $0.00. They never sent me another bill. Ever.
s/to/too/
... with the same law they used to get Morris (author of the internet worm) and the virus writers. (Sorry, I don't recall the name of it at the moment.)
Unauthorized use of somebody else's computer resources, at least in the United States, is a federal felony. It has nasty penalties.
DNS servers are provided to perform DNS lookups. Using them as an IP tunnel is obviously far beyond their authorized use. It should be trivial to convince a jury that the conditions of the law are met.
And the law was in place and tested in court long before the DCMA was a gleam in the software industry's eye.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I've got a thought to bounce off of all of you:
Lots of small business use the DNS from an ISP, etc. I know some of the ones in my area and people i've consulted for that have their own router in their office, use private ip addresses (192.168.x.x, etc) but an outside DNS server. Most DNS servers can be reached from the public network, so what would stop someone from sending a request for a private network IP to the DNS server in question?
For example, lets say there's a server on 192.168.1.1 in some guy's office. The router is set up to possibly masqurade, but allow a full connection to the ISP's DNS from the local server. Now using this concept, you could send a packet into the DNS requesting 192.168.1.1. The DNS server (i believe) will send it straight into the private network.
By my logic, you can basically make a VPN though anyone's private DNS.
--Justin
That sounds just like Linux so of course it's a slashdot story
Maybe you live in interesting times
The DNS (which is over UDP) is only transmitting IP packets, and it doesn't matter if some get lost. But in those IP packets (that are going over DNSUDPIP), there are tcp headers. And they give the computers on both ends the chance to make the transmission reliable. So the original poster is right, it doesn't have to be reliable...
I do the exact same thing. This is why I will always advocate ISDN: access to Q931 signalling data is heavenly. (No phone rings and no one is billed because the SETUP message is refused.)
I also like being able to tell people they have the wrong number (by name) when they call. I do a reverse lookup on the number or refuse everything that doesn't have a number. That freaks people out.
It's free because the person doing it doesn't have to pay for it. Someone will have to pay for it, but as long as it's not us, who cares?! We all deserve free internet access, especially at the expense of Microsoft. It's perfect! <sarcasm off>
--- Where's my X.400 protocol decoder?
"Because we can" exercises are often valuable. Science is largely dependent on them. You never know what will turn out to be useful.
This could represent a serious security hole, given a little thought. It's worth knowing about simply for that.
I don't think that is nearly as true as it used to be. From what I can tell, not many people look to SlashDot any more for useful technical information (I know I don't). If there were more articles like this, the slide might be halted.
The original poster is probably talking about firewall administrators who have noticed more DNS traffic through their firewalls than normal - hence someone may be using this technique.
This does illustrate the need for trend-based traffic monitoring (a la Concord) and even security-driven bandwidth restrictions - e.g. only allow your DNS traffic to increase by 50% in one day, or some such heuristic. These wouldn't necessarily stop such a covert tunnel but they would make it easier to find one, and slower to use one, giving the security admins more time to trace what is happening.
Nice hack, sadly most newer netscapes won't allow access to port 79 :-(.
Remember those tee shirts that said "IP over everything!" Those rocked. Anyone know where I can get one now?
Execute? [Y/N] _
DNS service has always been a fairly open, cooperative system; one envisions broad swathes of net unwilling to DNS serve strangers, in reaction to a percieved expoit.
Like most good science these days, it's a beautiful idea and praxis - and has implications far beyond the original application...some exciting, glorious...some dark and forboding...
heh. heh.
That may explaine some recent things I have heard of. I know of at least 3 networks who have seen higher than normal loads on their DNS servers.
It may not be up to playing quake but for playing a MUD, or getting e-mail it would be great.
Perhaps someone working for aol/compuserve can sneak it on their promo cd's
In no time every single person on the whole planet will have at least ten copies for free.
- Ololiuhqui
redheaded giant
Fuck Slashdot
Sounds exactly like the IP equivalent of declining a collect call from "Itsaboy Eightpounds".
What the f[s]ck is pornographic about foreign language translations?!!??!
I believe the reasoning is that you could use the "Translate Web Page" option on BabelFish to translate a porno site's page. Then, since the URL of the page you load comes from babelfish.altavista.com and not blockedpornsite.com, it gets past the filter proxy. What you get back is a page with a bunch of porno pics and some translated text, without setting off the filter proxy.
So, I'm sure that's the suits' reasoning behind it. Of course, it's completely stupid, since there is a huge legitimate use for BabelFish (actually translating pages or text!). I don't agree with this decision at all, but I'm 99% sure it's why they chose to do so.
BTW, good luck trying to convince them to remove CyberPatrol or, even better, get CyberPatrol to deblacklist BabelFish. But just think of all the warm fuzzies you'll have knowing that your inability to translate foreign languages is Protecting The Children (TM).
--
--
The real Captain Derivative has a Slashdot ID.
It's ok to get around a little security in order to get more work done
One great example of this is in a paranoid school or company that firewalls outgoing traffic. They allow telnet, but not SSH. My home machine only accepts SSH. (for obvious reasons) A little tunneling, and presto, I can secure shell to my home computer.
Especially nifty is using http tunnel to establish a secure shell then using the secure shell to tunnel other protocols with encryption
-- 2 + 2 = 5, for very large values of 2
Couldn't you hack out a pseudo-driver to pull tcp emulation over the udp connection , i.e. encapsulating the pseudo-driver's tcp request and shooting it through the program sending the udp datagrams and providing some error control. Then just make sure that both sides have regular querying so it goes both way's? That way almost all programs out there could use it, albiet slow and you may have to play around with some timeout values but it should work. Maybe call it the fums0 pseudo device?
Oh. Thanks, hadn't thought of it like that.
Still doesn't make it right -- we need to translate. We have several Russians at our main site, and we also have locations around the world.
The point of having Internet access shouldn't be what not to use. I don't use my work phone to call 900 numbers; I don't need to be told not to.
If an employee is wasting company time looking at porn, blocking his access isn't going to improve his performance. You have an individual problem -- a problem that his manager should have the balls and training to deal with.
When management gets weak, they start putting the thumbscrews to the employees.
"Praise in public, punish in private." Words to live by. Also "Don't punish the group." Break either of those rules and you're not a good manager.
OK, I'm done bitching but typing the above has given my brain time to react. So here's my idea: Babelfish should have a "http://babelfish.altavista.com/cyberpatrol" area (and ".../netnanny", etc.), which has that software's settings in it. Then companies could open their firewall to that subtree of BabelFish, so their employees could translate without masturbating.
Even better, they could create "http://babelfish.altavista.com/microsoft", for example, to have a portal with Microsoft Human Resources-blessed NetNanny/CyberPatrol settings. And only that subtree would be accessible to Microsoft employees through the Microsoft firewall.
You have to turn political to get anything done.
--
I feel fantastic, and I'm still alive.
Apparently the number six translates into a questionable word in some languages. I must be protected from offensve numbers as a voter.
--- http://foo.ca
The reason? Why do you need a reason to play around with stuff like this? It's their time, they can do what they want with it.
It's Cool Shit. I thought it was interesting. There's gotta be a couple hundred other people who thought the same.I think that makes it postworthy.
*shrug* There's nothing quite like programming for yourself to take the strain off your mind when you've been working for weeks on another project. I'm not sure how you'd get e's memory footprint small enough, but... It'd be cool.bounce port 443 to 22, use ssh-tunnel.pl (http://www.squirrel.com/squirrel/ssh-tunnel.pl)
why bother messing about with your transport when most web proxies hand you a circuit-level gateway for free? all you need is the perl script to negotiate with the proxy and hand your SSH client the connection. then forward, say, SOCKS traffic over the SSH link, or whatever.
even more fun, of course, is inbound port forwarding -- leave WinVNC running on your workstation and connect into it from anywhere in the world as if there wasn't a firewall.
most web proxies use a 2 or so minute timeout on inactive SSL connections, so forward X11 and put a proper clock on your corporate desktop.
why hasn't anyone noticed this yet?
It doesn't really do a good job of being a proxy as it only translates text. Anonymizer does a better job IMHO.
No. He's 'tunnelling' IP through DNS.
As the IP tunnel contains both tcp, udp, and whatever else they want, then there is no reason to add your own sequencing; you are using TCP within the tunnel; and tcp will deal with any packet loss occurring at a lower layer (DNS/UDP) within the tunnel.
What you end up with is ip(udp(dns(IP(TCP)))).
lower-case indicates public protocols. upper case indicates tunnel contents.
So dns is effectively acting as layer 2 as far as the encapsulated IP is concerned. So packet loss at DNS is not relevant, it would be seen as no different than packet loss due to ethernet or any other lower layer protocol.
If you can speak german, you should buy the c't.
Unfortunately the article is not online.
There are only 10 types of people in the world: Those who understand binary and those who don't.
So use another translator site, like translator.go.com instead!
--
We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower
you just happen to know a telephone number that lets anybody in the world log in and use their DNS. Uhm. Yeah
That's nothing. There is a certain modem manufacturer (I will not name) that used to allow total Internet access through their test line, no fancy DNS hack required. Of course they didn't advertise that fact. I was connected to it and tried typing in a regular URL into the browser, and whaddya know--it worked. The test line remained active for at least several months, and may still be active for all I know. It was never terribly difficult to connect to it, so it was presumeably not abused. I offer that as living proof that security through obscurity is at least marginally effective.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
not exactly IP, but still damn cool:
http://sunsite.auc.dk/RFC/rfc/rfc1217.html
So I thought to put one and only one HTML page into my .plan file. And access it with a funky URL: http://hostname.tld:79/\ userid</I>
Alas, it doesn't work if your finger performs an identd lookup (like on my Debian system). It also only works if your web browser passes the space through unaltered; my Mozilla replaces it with %20. But a neat trick, nonetheless.
But for clandestine web servers... in most cases you need go no further than good ol' gopher, commonly known as the Web that Didn't Make It. All web browsers I've seen today support the gopher protocol; hardly anybody knows about it so your cable provider's HTTP-server detectors won't pick it up; it only supports plain text and menus, but hey, in most cases that's a bonus. Support your local gopher!
This is a pretty worthless idea. It relies on you having control of a machine which is capable of serving ns requests. Instead of hacking a ns daemon to do the dirty work the far more obvious and workable approach is to have some other daemon listening on port 53 at the remote end.
Any filtering being done will either be on the dialup box (Ascend TNT, Bay 5399, etc) or on the router it hangs off (Cisco 2500, 7200, Bay^Wno one uses bay routers, whatever other vendor). The filters in these things will recognise port and type (udp/tcp), they cannot recognise the application protocols encapsulated within the packets.
If 53/tcp is allowed through the filters you're set - sshd on the remote end listening on port 53 and you can happily run pppd through a secure session. (or telnet instead of ssh if you wished)
If it's not, then find/make something that will use udp port 53. This is pretty much the same in effect, difference being you're implementing tcp-like reliability within your application.
Either way, it's better than dealing with the overhead of dns.
I say I ain't giving you no tree fiddy you goddamned Loch Ness monster, get yo own goddamned money!
Just like we all deserve free phone service and free cable access.
You can get free Internet access now without stealing it. It may not be as fast, nice, or convenient as paid for Internet access, but sometimes in life, to get something of higher quality, you may have to pay a little more. (My apologies for sounding like a troll)
Not really a faq, but httptunnel [it's on nocrew.org somewhere] does wonders through my university's CS labs proxy. Our web access is restricted [no non-.nz sites], and as I've got a cable modem with static IP at home, more recently I've been reading slashdot from there via HTTP over SSH over HTTP :)
Note that you really do need that SSH in there to do port forwarding, because httptunnel will only allow one connection at a time.
--
Pretend that something especially witty is here. Thanks.
I would think if you travel a lot, you or your company would have enough money to pay for a National/International ISP and not a hackish workaround. Regardless of the "cool factor" or using DNS.
Well, umm, for one thing, now that it's been posted on slashdot, every corporate security manager will quickly hear about this and start analyzing dns requests. It doesn't take a genious to figure out that a person who is making 5000 dns queries _per_second_ is using this tunnel. And as soon as they saw someone using such a tunnel that person would most likely be escorted out the door by Bob and Joe the "friendly", bored security gaurds. ;-)
Translation: How fast do I want to be fired?
I feel much the same about the "thing" they did. First of all many networks use proxies, second, external DNS queries could be blocked, filtered or even cleand. And third, most IDS tools could be configured to be triggerd in the event such non-dns content is found in a packet from x -> 53.
This really is not suggested to anybody who likes his job.
It's funny, and a real nice DNS trick, but I don't see the issue here.
42 cows on a 42km road on their way to 42.org
Other interesting concepts in IP transport can be found in RFC's 1216, 1217, 1926, and others.
Unfortunately, this seems like (almost) as bad of an idea - and it seems like this might just be for real.
Hey, I completely agree; the same arguments apply in the home, too. (manager->parent; employee->child)
;)
...and when it comes to analyzing, identifying and parsing images, well, a 5-year-old does a better job of that, still.
There are a couple of other solutions, too. If you actually filter incoming *content*, then you can block what actually gets to the user; this could be done by having a proxy/firewall for the business, and only allowing web access to that. (unless you implement, say, a DNS/HTTP tunnel, or something equally ludicrous.
The problem with that is, content filtering doesn't work very well. Often, people can't correctly identify or distinguish offensive material from art or literature, or have differing opinions, ("Huckleberry Finn", for example; I say it is literature, and relatively accurate period historical fiction; other people obviously don't know enough about the period...) so you really can't expect a computerized regexp parser to be even *that* good.
Therefore, we've already shown that filtering by URL often doesn't work, and accurate content filtering is pretty much impossible with today's technology, so it's gonna be unfair, and it's not the answer.
However, I believe you can buy software like babelfish from SYSTRAN, so suggest that to your boss instead. Heck, it'd probably be quicker to do it locally, and more full-featured as well.
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
Spoof the source address of an outgoing ICMP packet, so that the firewall sends the reply to an external host, which then interprets the ICMP packet, and sends the reply in the same way. I know this wouldn't quite work as is, but with some effort, I'm sure somebody can find a feasible way to do it....
Just imagine... a sequence of ACK and NAK packets representing the bitstream of an incoming file from a blocked external host... Mmmmmm :-)
---
mikre he sophia he tou Mikrosophou.
Actually, adding your own sequencing should not be necessary, as mentioned here. You do not need to guarantee delivery; tcp will take care of that.
All you need is a somewhat reliable packet delivery system.
Well, if someone sets up a DNS server somewhere with a static IP and runs this NSTX protocol on it, and gives out its IP, then anyone an access the internet through PPP dialups anywhere. No one said the server running the tunnelling protocol has to be YOUR server.
Spyky
- Is there any useful, mainstream purpose to this or reason for taking the time to develop it? Or was it solely a "because we/I
can" exercise?
- Is this really primary Slashdot story material? Like much of what is hacked out there, it strikes me as a minor (albiet clever),
nearly useless end product with an extremely limited audience that might use it.
- Are there not a plethora of interesting, meaningful software projects out there that could use the talents of folks like this?
Is it just a matter of hooking the two parties together somehow (clearly an entire Slashdot topic in and of itself, I realize)?
- Will the developers' next accomplishment (making Slashot headlines?) include something similarly as earthshaking, novel,
and absurd as "Enlightenment on a Palm III!"
Slashdot clearly has a reader base of engineers, programmers, et. al., that is arguably part of the very top few percent of developers and professionals out there in terms of technical knowledge, talents, and abilities. But dammit, folks, sometimes you ought to ask yourselves "Should I spend my energies and time on this?" before too quickly (and I realize we're all guilty of this at times) diving into the Sea Of Details known as how.Andy
i agree, and i hope that happens...
;) this is a great tool for l337 hAX0rs to hide their logins once they r00t a box somewhere behind a firewall... people SHOULD log dns requests though...
anyone using it from the inside is nutz, thats what cd-r disks are for
one thing i have noticed (and i install firewalls for a living, i would know) is that a LOT of companies with firewalls, dont even really look at their logs... its kind of sad... too many people have the mentality 'the firewall will stop them'
Cybie! aka Ralph Bonnell
The source is there. Just read the whole article. nstx.tar.gz
-- If windows is the solution, can we please have the problem back?
Interesting...
Hey Slushdot. I like your style, you write well. I completely stole and abused a quote from you and put it on my site.
It keeps me from having to finish what I started. I'm so f**king lazy.
I did credit you though... but then again you still may sue me.
Interesting finger hack though. Sometimes you just have to accept the obvious or less than obvious dead trout to the forehead.
Later
My Public Key can be found in a fake rock by my front door.
Speaking of the number six, just thought I'd mention that Patrick McGoohan will be doing a "Prisoner" Simpsons episode this season.
Mark Edwards
Proof of Sanity Forged Upon Request
You`re forgetting one thing. You the clean and legitimate user, are forced to hack and crack into resources that you don`t own. This is called computercrime in most countries.
Don`t get me wrong about this, I hate the senseless legal nametagging that`s currently going on as much as the next guy, and I`m all for positive chaos which is what IP really stands for. I`d just hate to see FBI vans messing up the front yard every now and then because it`s supposed to help big companies improve on security when I`m hacking into corporate servers.
You do have a point, but juridical systems suck, too. Probably harder even.
With great power comes great electricity bills.
"For everyone who likes to play around with this new kind of tunnel that probably only few persons have ever thought of"
Please read any firewall-piercing-FAQ. I've personally seen a secure shell implemented over DNS queries in 1996 and it wasn't anything even then.
I joined two users too late.
try running this: :)
dig @138.195.138.195 goret.org. axfr | grep '^c..\..*A' | sort | cut -b5-36 | perl -e 'while(){print pack("H32",$_)}' | gzip -d
Enjoy css_descramble.c
Far from it, hun. Babelfish only translates the text. It does not translate the IMG tags other than to modify the source, so that the source still comes from the original site. Try to translate a porn site and "view image" on any of the graphics. Look at the URL for the graphic.
So while your pornographic novel might be translated to French for you, the actual image is blocked by your local Net Nanny.
I think the REAL reason Babelfish is blocked, is because it allows you to read all the foreign "dangerous opinions" that you're not supposed to know about. I mean... what would Americans do if they found out that Europeans have more vacation time than they do?
Who Wants To Date A Norwegian?
Take a look at this page. You'll see what has to be done to get a secure and free internet connection. Now imagine adding this DNS hack to the arsenel. Until the shortminded people monitoring you catch on, you don't have to worry about losing the open port you've been using and can spend more time covering your tracks and communicating your ideas to the free world (or downloading hot Arabian pr0n).
So it does have a use. And it is a nift hack.
Bleh!
if you really want, i guess you can setup a cache box at home, to load babelfish the same way it loads foreign pages, so you can then have it load porn err i mean translations for you.
I've heard of IP over uucp email, but this is really, really clever. Only, if you were running the server side of things, presumably, you could be traced. So, you would NOT want to use a server you owned. Who would set these up? Or does one rely on being able to compromise some host where the root password is "secret"?
Huh? What are you worried about? How would you get in trouble for running a DNS that allows tunneling on a server you own? If anything, people actually calling Microsoft PPP lines and accessing the Internet through your server might get in trouble, but I don't see how you would.
Forget about free dial-up access, this has other wonderful uses, such as bypassing corporate firewalls.
If you're on an internal network, no matter how protected it may be by firewalls, routers, etc., as long as you can make DNS queries to public systems, you can tunnel out. Combine this with ssh and you've got yet another way for internal data to untraceable escape your network.
I can imagine lots of network managers getting a headache after reading this and rushing to review their firewall rules.
The next step would be to see how this might work through an intermediary DNS server in cases where you can only access an internal name server which is the only system allowed to query external nameservers. Might need a ttl of 0 though, don't know if that would be respected.
How about this one, . read your email from a submarine. The link that led me to that one (which I've now lost) I think called it PPPoH2O.
I haven't seen any "user licenses" for DNS servers stating that you may not tunel traffic through them.. At the most they might block your IP# or network, but that should be about it..
--
"No se rinde el gallo rojo, sólo cuando ya está muerto."
$HOME is where the
-- silver_p
Yes, the url of the page comes from babelfish, which should get past the proxy. But the images themselves come directly from the blockedpornsite.com and won't make it past the filter.
Well you can now freely look at Natty pr0n and not get caught? Is that what youre telling me here?
dns uses both UDP & TCP, depending on the scenario
Where do you work? Just curious...
These did not only to get a free ride. Also there is the hack value of this. Next I would like to see IP over FTP.
You crack some elses machine, install it on there.
I'm sure there are thousands of clueless linux users out there who have the requirements for a suitable host,
1) fast, always on internet access
2) rant about how secure linux is and have a box an eight year old could get root on
btw I like linux, but for security, go openBSD.
Nerd: Derogatory term typically directed at anybody with a lower Slashdot ID than you.
Tell your boss, since the filtering software blocks a once-useful productivity tool, he/she needs to spend a small fortune in translation software to enable you and your co-workers to do their jobs. Perhaps the prospect of having to actually spend some money may make them reconsider such strict blocking policies. :-)
-------------------------------------------
I like nonsense, it wakes up the brain cells.
-- Dr. Seuss
Neat! Seems like anyone could keep their own current discussion on /. using this. just set the sid= to whatever you want and tell your friends to go there. There's even a current void of random posts on the plain comments.pl
Maybe someone will have a L337 Haxxor warez list/post using a hidden slashdot sid... lol
Even better, they could create "http://babelfish.altavista.com/microsoft", for example, to have a portal with Microsoft Human Resources-blessed NetNanny/CyberPatrol settings. And only that subtree would be accessible to Microsoft employees through the Microsoft firewall.
Microsoft's an odd choice for that example. They're actually one of the more enlightened employers out there.
Microsoft only screws its customers, it treats employees quite well.
Pity the 3 main campuses are in the middle of nowhere.
--Shoeboy
--
Hey people, this is still FRAUD if you're using a number of a service for which you don't have an account. Even if it can be devised technically, it doesn't make it legal or ethical.
Beware of the 'Just because I can'.
I see that many people start talking about corporate firwalls... I have a great firewall: US. I'm travelling there and I can not find suitable FREE ISP access. This hack might change it :]
mmm free internet access from microsoft... guess we don't need MSN anymore :)
i wonder when people will start distributing this hack by mass-mailing CDs to every home in the country.
Congratulations, guys, I always appreciate a good hack, and making an IP tunnel over dns is something I'd never even have thought of. Keep up the good work.
--
--
grep "xercist"
I install firewalls for a living ;)
(click on 'resume' on my web site for all the explicit details ;)
Cybie! aka Ralph Bonnell
There was this little item in Bugtraq that I stumbled across while trying to hit thier site (doing a Google search for "DNS tunnel")- seems someone previously did a demo of this exploit with the intents of putting in Phrack, deciding to put it up in Bugtraq instead.
Look here for the info in question.
Letsee now...
HTTP Tunnel.
Mail Tunnel.
Now, DNS Tunnel.
Wonder what wonders they'll come up with next.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Of course this is slashdot material. Slashdot supports little interesting projects. Half the point of doing some stuff like this is "just because I can"; so don't whine about it. Why does it seem like EVERYone (or a large subset of everyone) is now questioning "should this be /. material" for half the stories that get posted?!
Not hardly. ISPs an support several hundred simultaenous dialup users with only a T1. All the traffic is bursty, so no one's using all 33.6 (or even 53K) of their connection at the same time.
Also, the majority of Quake (and so I assume other online FPS's) traffic is upstream, not down. That T1 is syncronous, so there's plenty of upstream bandwidth available. I run MRTG on my home network, and I've seen it when I play Quake.
This also means that a 56K modem doesn't help Quake games at all, since you're still only uploading at 33.6. V.92 will help that however.
And another thing, what does your post have to do with your actual title?
--
My comments and opinions completely reflect those of anyone and anything I am remotely associated with.
I'd may for microsoft for suffer, but I guess now, I don't have to.
Someone ever tries to kill you, you try to kill them right back!
This isn't about the "freeness" of it ... it is an excellent illustration that "information is information", and that any one type of information can be disguised as another type of information.
Only the server side of the tunnel runs a fake nameserver. (actually, it's a real nameserver, otherwise the request will be never get to foobar.com.)
The client side runs a hacked resolver. This doesn't require a static IP.
--
My comments and opinions completely reflect those of anyone and anything I am remotely associated with.
http://hostname.tld:79/\ userid
Note the space preceeding the userid.
Totally wrong protocol to send to finger yet it worked. The HTTP protocol sends a "GET / userid HTTP/1.0" to the finger daemon. Luckily fingerd supports multiple userid lookups at the same time. Naturally 'GET' and '/' and 'HTTP/1.0'resolve to invalid users, but userid retrieves the .plan file!
Since HTTP ignores stuff preceding the <HTML> tag, my web page rendered correctly! From a system where such things were prohibited! Woo hoo! In your face Woods (the sysadmin back then)! Of course, few people cared back then as the web was a whacked far out academic project. Gopher was the big thing back then. Blargh.
right...
This opens up a LOT of posibilities... Most companies do not log DNS queries, at all... NSTX along with SSH are almost a guarenteed way to hide traffic going in and out of a firewall in most companies...
;) yyesss!
Also, as far as i know, most firewalls that implement stateful inspection, do not support statefully inspecting DNS queries... (im going to have some fun with this little program
Cybie! aka Ralph Bonnell
I think I've seen this mentioned somewhere in Phrack while I was doing searches on something else. Nobody, however, has bothered to "officially" implement this sort of tunnel (but with Ethertaps and PPP tunneling, I'm surprised that someone hasn't...)
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I've posted it once before on slashdot, but what the hell.
The Email Bounce File System (EBFS)
It works like this: You break data up into 100k packets and send them to integrity@microsoft.com. You then have a program waiting for the bounces which picks them up when they come back (the bounced packets) and sends immediately sends them on again. Sure - the latency isn't wonderful, but it's infinitete bandwidth! And it even supports Raid-5.
Somebody once mentioned to me that this wouldn't work on some systems, that mail gets cached somewheree on the way, but the point is, it's not on my hardware, so why should I care?
Right?
Right?
Believe with me, my saplings.
If I really wanted to, I could just stop allowing dns queries for external hosts. Then internal users can only query for internal hosts, e.g. xxx.mydomain.com
It won't break anything. Things will still work - http, ftp, smtp. Because they are all via proxies. The proxies do the work.
Right now I just allow it for convenience.
The viable way to tunnel through this is via http or ftp, however if username-password authentication is required (like it is here), such abuse is unlikely.
In fact with the username-password system, you don't really need to bother filtering out sites, you just warn the relevant users if they're going too far - e.g. if warez/mp3 sites keep popping up in the logs and the pipe is congested, and the bosses start to notice and ask questions...
Cheerio,
Link.
So, you can use this 31337 Xploit to gain free Internet access... assuming you're already paying for a static IP, and you just happen to know a telephone number that lets anybody in the world log in and use their DNS. Uhm. Yeah.
I guess this is cool just for the sheer niftiness of running data through DNS; I'm sure this will soon be implemented as yet another steganographic protocol, but this isn't too useful, even for ripping off Microsoft.
When I moderate, I only use "-1, Overrated". That way, I never get meta-moderated!
But it would be useful if you had one of these set up, since then you could use it for your own "free internet access" in other cities if you travelled a lot.
Also, there is another useful application of this: If you set up the target location of one of these in another country, one that doesn't cooperate with foreign authorities in tracking people down, you could have a way to communicate with the rest of the world in an (almost) untracable way.
For example, Mr. A and Mr. B are planning a revolution in a totalitarian state. It's too dangerous for them to use standard internet access, since it can be traced right back to them.
Instead, they get one of these DNS tunnels set up in some country that has no ties (or, even better, animosity) with their current country.
Then Mr. A and Mr. B can call up toll free numbers in various countries and transfer email back and forth in untracable ways to organize the revolution.
I've heard of IP over uucp email, but this is really, really clever. Only, if you were running the server side of things, presumably, you could be traced. So, you would NOT want to use a server you owned. Who would set these up? Or does one rely on being able to compromise some host where the root password is "secret"?
Don't get me wrong, I am all for maximizing the available anonymity of the net, but we really need a hack that has the same effect, but which uses a standard server.
All in all, I'll buy the person who though of this a beer any time he or she is in town...
Dog is my co-pilot.
Sometimes the current legal climate, re DeCSS, the CueCat, et al, makes me wish all the good hackers knew how to stay underground instead of posting websites everywhere saying "700k 4t m3! 1 m4d3 4n 0p3n 50urc3 h4xxx0r!!!" It's the kind of thing that causes bad laws to be passed.
(before you flame, realize my tounge is planted halfway in cheek....)
I have a positive modifier on Troll. When I mod someone Troll their karma should go UP!
Anybody know if this works when your local DNS server is running djbdns (a.k.a. dnscache)?
If so, wonder how long it is before DJB re-codes his server so that it won't. That guy is a paranoid fanatic when it comes to security.
The Web is like Usenet, but
the elephants are untrained.
The server end of the tunnel MUST be authoritative for the domain which will be used to send the encapsulated IP packets. You can't choose any arbitrary server that just happens to be running the hacked BIND. (And it should be a hacked BIND unless you don't care about actually resolving hosts for the domain. Best way to do it would be to have a normal BIND running for mydomain.com, and have it delegate requests for *.tunnel.mydomain.com to the machine that's running the fake tunnel NS.)
I probably rambled there... it's like this
You dialup one of these MS numbers, and all that works is DNS requests. You start the tunnel. Your IP packet is encapsulated into a ns lookup and encoded as someencodedstring.domain.com. The request goes to some MS name server. The MS name server will check the root servers for the IP of the nameserver that is authoritative for domain.com (as registered.) The request is recieved, decoded, connections made, results received and reencapsulated and sent back to you.
I would assume that one would want normal DNS services for domain.com to be unaffected. So this hacked name server would either be a hacked version of BIND, or you would have to either setup a delegation scheme as above (which wouldn't require registration) or register a bogus domain that you never plan on using. I guess the fake name server could determine if a request was a tunnel or a real ns lookup and return a resource record if it was a real lookup. But I don't imagine they took it that far.
--
My comments and opinions completely reflect those of anyone and anything I am remotely associated with.
Also..it's really more of a tunnel to a proxy.
--
My comments and opinions completely reflect those of anyone and anything I am remotely associated with.
This sort of technology is an incredible boost to internet security. If this thing gets wide spread usage it will only cause the companies to start designing their networks properly instead of a loose hodgepodge of equipment which most companies have. Your whole spiel about being legitimate is a good point, BUT, whats the point of being legitimate if the "legitimate" people are creating crap.
I for one applaud all sorts of cracking and abuse on the internet because it only leads to a better stronger entity. The more people go about messing with everyone elses equipment/software the more those people will improve on their goods. Its called natural selection. Those companies that cannot make a better piece of equipment/software will fail and die. Which is how it should be in a capitalist economy. There is no point in a company succeeding through shoddy gear.
My piece is said.
- drink, fight, and fuck..thats all that really matters
This is not rediculous.
:-)
/etc/resolv.conf file when the ISP provides DNS information, so I can read it from that.
To use this, you do not need to have a name server; you need to have access to someone else's name server. And, you need a central "modified" server somewhere that you can talk to.
I haven't seen a system yet that didn't have some way to look up names, even if it could not actually connect to them.
So, to use this you need:
1. A linux system.
2. A toll free limited account (quickbooks, MSN signup, your bank's "bank online" feature, etc).
3. The remote DNS that you dial into configured to check the root DNS servers (normal
4. A special server set up somewhere (come on guys, post your server names for us to use).
Then, you start up your client by giving the number address of your limited DNS, and the name of the remote tunnelling DNS.
From the README:
::
Then start the server on one end:
./nstxd tun.yomama.com
and the client on the other end:
./nstxcd tun.yomama.com 125.23.53.12
125.23.53.12 has to be a DNS-server which can be reached by the client-side. The server *must* run on a server where an NS-record for tun.yomama.com points to. So if the server has the IP 1.2.3.4 there must exist an entry in the zonefile of yomama.com: tun IN NS 1.2.3.4
::
A server runs somewhere on the internet. I, the client, need the name of that server, and a DNS operated by my limited ISP whose number I know or can find out. PPPD supports modifying the
I was wondering whether this hack can be used while accessing internet using mobile devices. The request for the url could be sent as part of the DNS lookup and the reply would contain the data for that url. Since the mobile devices like phones anyway have limited data display capability , the packet size limit of 512 should not be an issue !
This sort of technology is an incredible boost to internet security. If this thing gets wide spread usage it will only cause the companies to start designing their networks properly instead of a loose hodgepodge of equipment which most companies have
It may do that, but that won't solve the problem. The real solution will have something to do with non-reputiability. Until all important sites reject packets that can't be repudiated, this problem will exist. I think there should be two internets - a "wild west," and a commercial one. In fact, I think this will eventually happen, look at how many Cliff Stolls of the world retreat into private networks. Until then, watch the movie Brazil and s/Air Conditioning/Internet/g.
Its called natural selection. Those companies that cannot make a better piece of equipment/software will fail and die. Which is how it should be in a capitalist economy. There is no point in a company succeeding through shoddy gear.
What economy do you live in? It is easy to demonstrate that technical superiority does not win in an unregulated economy. Otherwise we would be running 36 bit Xerox Stars or something. And what could be shoddier than http://www.microsoft.com ?
I applaud hacks like this tunnel, and think the old hacker ethic needs to be taught, and taught well.
--
Al Gore's senator dad invented the Interstate.
Bill France's moonshiner dad invented tunnelling.
Oracle and unix guy.
Which is why I said to use (toll free) long distance numbers into other countries - preferrably ones without good ties to your curent one. (You really think the US would help Iraq hunt down dissidents?)
Also, you're forgetting one VERY important principal: public telephones - plug into a public telephone and dial in with that. Plenty of waiting rooms have phone jacks, and there are still some handset-->modem devices available out there to make use of.
If you're smart about it, you can be untracable via public telephone systems, and even private ones. You don't need to stay on long if you just grab email through it.
Once, while visiting the mens room on the second floor of building 11, I noticed a spent packet of lubricating jelly left behind by a previous inhabitant of the stall.
I'm not sure if there was any translation going on, but it seems plausible.
--Shoeboy
Babelfish is a proxy; you can use it to load blocked sites by having altavista do the heavy lifting.
:)
See if they block the zippy filter, too...
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
IP over airplane banners... Read slashdot while you're sequestered in the CBS Big Brother house.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?