Re: Establish persistant outbound connection for covert application

[Jens Knoell <jens () surefoot com>]

Hi David

reply off-list since I'd rather keep this from prying eyes and avoid the usual 
ethical discussions that often ensue on this topic.

On Tuesday 23 August 2005 16:17, David Siles <DS> wrote:
> Hello all,
>
> I am looking for some additional ideas for an application we are
> trying to use for a law enforcement application.
>
> We are currently using a product that allows us to install a software
> shim on a suspect's PC and then connect into the PC at any given time
> to perform forensic analysis.  While this works great, we consistently
> run into the problem of personal firewalls, NAT devices, SP2, and
> other ACLs that prevent us from connecting into the suspect machine.

To get around this is anything but trivial. Your application can try 
piggybacking on "legit" traffic or try and enumerate the firewall to find 
open outbound ports. As you probably know there often are ports open for 
external communication.

If you do prefer inbound connections you'd need to enumerate the suspects 
network settings from the inside (i.e. find out if UPnP NAT is available on 
the router, which firewalls are running etc.) and then communicate its 
findings back to a server or human somewhere.

Host-based firewalls can often easily be defeated by adding a new service to 
the actual network layer. This is operating system dependent of course. I'll 
be damned if I remember what MS calls this, but it's in essence the same 
network hook a firewall hooks into. Similar hooks exist in most unix-like 
products except that they're more difficult to hide there.

A few good pointers in that particular direction:
http://www.securityfocus.com/news/382 - BackStealth Firewall circumvention
http://www.securityfocus.com/infocus/1839 - Firewalls: Made of straw?

Piercing NAT is easier nowadays. Most routers support Universal Plug&Play for 
NAT and thus allow you to port forward any given port to your target machine.

Enterprise level routers don't commonly support this feature or have it turned 
off. Piercing these can IMO only be done properly with a reverse connection.

> While we usually have the suspect full cooperation in the monitoring
> efforts and we can initally configure their network and/or PC
> configuration to allow this communication things get changed.  Also we
> run into the problem with dynamic addressing changing on us, which can
> be a pain to keep track off unless we install some type of dyn dns
> solution.

If you have the suspects cooperation it might be easier for you to just drop 
in a "spybox". I use these every now and then, and they work like this:
- Small form factor PC running linux on it
- They get their IP dynamically if possible. If DHCP fails they analyze 
passing network traffic and grab their IP config based on a "best guess"
- They "announce" themselves using DynDNS (I have my own DynDNS server for 
that)
- Additionally they periodically try and connect back to my "monitoring 
machine" on a few standard ports (53,25,110,143,80,435)
- They have the usual packet sniffing and ARP poisoning tools installed, just 
in case
- They do have 2 network interfaces in case I want to chain them between a PC 
and a switch
- They also have a wireless interface so I can hook into the machine if I am 
just close enough to them

With these I can analyze or even record all network traffic remotely without 
having to install anything on the target machine. To some degree I can 
usually get onto some harddrives too, if the sniffer manages to crack a few 
passwords. The killer is the WLAN interface - I can get to it anytime I want, 
no matter the firewalls in the target network.

[...stuff snipped...]
> I am looking for something that will connect outbound, preferable
> covertly as a background/hidden process (e.g. fooing a netcat/cryptcat
> connection) to awaiting connection server or service for redirection.
> SSH may be the best process here, but I don't like having to open an
> SSH tunnel for this.  The application we are using is already running
> encrypted traffic, so adding another layer of encryption also slows it
> down.

Hiding traffic is difficult at best. You can encapsulate your traffic in ICMP 
packets if you want, or simply in an unused protocol (PPTP or IPsec for 
example) - but again, to a savvy user that'll be a red flag that something is 
wrong.

Essentially you cannot effectively hide network traffic from a cautious admin. 
You can disguise it as say http traffic, but even then it'll trigger if it's 
at unusual hours.

> The capability to make this application call home will be of great
> benefit to many in the LEO community and if your interested in what we
> are doing, please feel free to contact me offlist.

Making it call home is relatively easy, depending on your budget. If in doubt, 
add a cellphone interface and hook into that. Don't just focus on 
transferring the information you're after over the suspects internet access - 
focus on other means of getting your data. WLAN interfaces, cellphone 
interfaces, even HAM Radio interfaces would work. It all depends on how much 
you need to hide the surveillance from the owner of that PC, and how far you 
want to depend on the PC running a specific OS (Windows vs. Mac vs. BSD vs. 
Linux).


If you'd like to discuss further details please feel free to contact me 
off-list.

Jens

-- 
With all the fancy scientists in the world, why can't they just once
build a nuclear balm?