.

Skype Network Scanning

<<

Cutaway

User avatar

Jr. Member
Jr. Member

Posts: 96

Joined: Mon Nov 20, 2006 5:02 pm

Post Fri Dec 15, 2006 10:51 am

Skype Network Scanning

In a recent article titled "Networks beware: Skype 3.0 includes new cloaking technology" http://www.computerworld.com/blogs/node/4174#comment-24056 in Computer World the author (Preston Gralla) states "[Skype] may present a backdoor through which hackers can crawl..."

I have commented to the article and asked that the author clarify but with no response.  I was wondering if anybody here had heard about this and how it is accomplished.

I know that for P2P there may be some extra network traffic but I believe this is a part of the local application.  Unless some types of logs are kept and they can be harvested remotely I am not sure how this can be done.

It would be interesting to find out other wise.
Go forth and do good things,
Cutaway
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Fri Dec 15, 2006 4:41 pm

Re: Skype Network Scanning

I'm sure it would be possible to utilize Skype, especially with this new encrypted UDP traffic, as a covert channel. You could either use a skype specific exploit, which would be in high demand. I bet people are running fuzzers right now against this new code for buffer overflows. Or you could use some email or IM trickery to get the user to initiate a skype connection to you. Either way the network security admin either won't see it because its encypted or just ignore it as regular skype traffic.
<<

Diluted

Newbie
Newbie

Posts: 3

Joined: Mon Dec 04, 2006 5:27 pm

Post Mon Dec 18, 2006 3:34 am

Re: Skype Network Scanning

Skype penetrates firewalls/NAT by fooling stateful detection... could that be what they are referring to?  It also will try to guess at the port that will be used for an outgoing connection by causing an outgoing connection and then portscanning the range above that port in the case of incremental port numbers being used by the firewall/NAT software.

Apparently (according to the article linked in the article you linked) they have changed those behaviors to make them less likely to be fingerprinted.  That could ceertainly make it harder to tell whether it's valid Skype traffic, or whether it's allowable traffic at all, depending if you allow Skype on your network.
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Mon Dec 18, 2006 3:17 pm

Re: Skype Network Scanning

From what I understand because the Skype client in already behind the firewall it has an established connection already and this is why it can work thought firewalls and NAT. Just like your messengers or any other client side connection software. Skype is not tricking your firewall it is just keeping a path open. Now it could be jumping around on random outbound ports to lessen the chance of Man-in-the-middle-attacks being able to collect passwords or record the calls. A lot of different software dose established connections to have a path from a privet network to there servers. This is the idea behind a lot of Trojan horses because with a firewall set to "default deny" or "explicit deny" it will only allow established connections to pass. The biggest issue with all the different client messageing/voip software is that there can be all kinds of Trojan like activity and you might not know till it's too late. I would say just keep you eye out and make sure to only use software you trust.

Slimjim100

(sorry if I got to far off topic)
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

Cutaway

User avatar

Jr. Member
Jr. Member

Posts: 96

Joined: Mon Nov 20, 2006 5:02 pm

Post Mon Dec 18, 2006 10:24 pm

Re: Skype Network Scanning

I think that it is very important to understand just how certain applications work within our environments.  Especially those with channels that are encrypted with a proprietary algorithm.  And now that our fears of skype becoming a malware distribution agent have come to fruition (i.e. http://isc.sans.org/diary.php?storyid=1952 and http://www.websense.com/securitylabs/blog/blog.php?BlogID=101) I think that more people are going to become concerned.

It is interesting to learn about the outbound characteristics of this application.  I suppose that one way to determine the ports that are permitted to egress the network could be determined by the skype client.  The benefit I see from this is that you would be masking network scans so that they do not appear to be normal enumeration tools.  I'll have to see if the client keeps a log of this that can be viewed by the user or if some other type of interface monitoring is required.

Thanks for the input on this one.  Keep the thread running is you have more.
Go forth and do good things,
Cutaway
<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Wed Dec 20, 2006 5:50 pm

Re: Skype Network Scanning

This application is tricky.  It uses any available TCP port it can use.  If one is blocked, it keeps going until one is open.  Thi causes headaches for security admins.  We use SMS to monitor if Skype (application) is installed on a pc and use web filtering blocking all of the sites that you can install Skype from.
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Sun Dec 24, 2006 3:58 pm

Re: Skype Network Scanning

Here's an article to add to the conversation:

http://www.heise-security.co.uk/articles/82481

Don
CISSP, MCSE, CSTA, Security+ SME
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Wed Dec 27, 2006 8:23 am

Re: Skype Network Scanning

Nice Article don!

            I can say that Sonicwall Firewalls (which I do not like too much) do block this kind of UDP hole punching. I have seen with Skype and Hamachi you have to have a relay to get a connection when traversing though a Sonicwall firewall. I am also sure the Netscreen firewalls block UDP scanning by default too but both of the firewalls I just mentioned are not your basic NAT firewall but slightly more advanced firewalls will a few extra bells and whistles. Anyway it was a very good article and it inspired me to break out my ethereal /wireshark and do some sniffing. It's amazing the load of crap traffic all the little IM/P2P/VoIP clients throw around your network!

Slimjim100
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

pcsneaker

Jr. Member
Jr. Member

Posts: 73

Joined: Mon Nov 07, 2005 12:23 pm

Post Mon Jan 01, 2007 12:11 pm

Re: Skype Network Scanning

If you are in need of security you would not allow any encrypted traffic into your network - be it skype or any other app.

Terminate any encrypted channel at your perimeter if you really need security, otherwise you'll always be in big trouble....
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 4 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software