I came across a VPN product that seemed to change the interface list that appears in the routing table. When the VPN is not running, I see all the interfaces that are in the system in route table. When the VPN is run, the routing table is modified and displays only the VPN's virtual interface. Can this be done through a documented API in the application? Or does it require a lower level tweaking (IM, TDI). Any specific way of doing this? thanks ravi
Ravi wrote: > I came across a VPN product that seemed to change the interface list > that appears in the routing table. Sigh. Yet another bunch of morons thinking that they make something "secure" doing this. Care to tell which VPN product it is? (I am compiling a list of companies that have no clue) > When the VPN is not running, I see all the interfaces that are in the > system in route table. When the VPN is run, the routing table is > modified and displays only the VPN's virtual interface. > Can this be done through a documented API in the application? Or does > it require a lower level tweaking (IM, TDI). Any specific way of > doing this? See CreateIpForwardEntry, DeleteIpForwardEntry and related functions in MSDN. Of course it could happen that this particular VPN product actually disables all other interfaces from the kernel. This would produce the same symptoms. All of this is futile of course against a determined attacker. The only effect it produces is to irritate the end user. -- Eugene http://www.gershnik.com
Thanks for the reply. Correct me if I am wrong. Most VPNs modify route table to direct all outbound packets to their (virtual) interface. This gives then the flexibility to split-tunnel or tunnel the packets back to the VPN server. With this in mind, the tweaking GetIpAddrTable seems like a good idea. I have looked at the IpHlpApi functions. Unfortunately the subnet routes for currently connnected adapters cannot be deleted (all fail with ERROR_INVALID_PARAMETER). Hence my question on how to fool the GetIpAddrTable. Interesting thing is ipconfig still shows all adapters in the system, however, the route table only lists their virtual interface. Any clue on how this could be done? VPN Product: Netmotion Wireless (TDI-level) Thanks ravi "Eugene Gershnik" wrote in message news:O4bXt5X5FHA.1140@tk2msftngp13.phx.gbl... > Ravi wrote: >> I came across a VPN product that seemed to change the interface list >> that appears in the routing table. > > Sigh. Yet another bunch of morons thinking that they make something > "secure" doing this. Care to tell which VPN product it is? (I am compiling > a list of companies that have no clue) > >> When the VPN is not running, I see all the interfaces that are in the >> system in route table. When the VPN is run, the routing table is >> modified and displays only the VPN's virtual interface. >> Can this be done through a documented API in the application? Or does >> it require a lower level tweaking (IM, TDI). Any specific way of >> doing this? > > See CreateIpForwardEntry, DeleteIpForwardEntry and related functions in > MSDN. Of course it could happen that this particular VPN product actually > disables all other interfaces from the kernel. This would produce the same > symptoms. All of this is futile of course against a determined attacker. > The only effect it produces is to irritate the end user. > > > -- > Eugene > http://www.gershnik.com > >
Ravi wrote: > Thanks for the reply. > Correct me if I am wrong. > Most VPNs modify route table to direct all outbound packets to their > (virtual) interface. Right. > Unfortunately the subnet > routes for currently connnected adapters cannot be deleted (all fail > with ERROR_INVALID_PARAMETER). Are you sure? Deleting from command line with route delete works fine and AFAIK route tool uses IPHelper. Perhaps you did pass an invalid parameter? > Hence my question on how to fool the GetIpAddrTable. Interesting > thing is ipconfig still shows all adapters in the system, however, > the route table only lists their virtual interface. Any clue on how > this could be done? It is certainly possible to do many things like unbind the adapter from TCP/IP or modify routing table from kernel. Double-check IPHelper. If they don't use it see if they modify bindings with BindView tool from DDK. As for kernel mode tricks a better place to ask is one of the newsgroups with word DDK in its title. -- Eugene http://www.gershnik.com
