Security Basics mailing list archives
Re: Establish persistant outbound connection for covert application
From: Jens Knoell <jens () surefoot com>
Date: Wed, 24 Aug 2005 16:32:43 -0600
Hi David reply off-list since I'd rather keep this from prying eyes and avoid the usual ethical discussions that often ensue on this topic. On Tuesday 23 August 2005 16:17, David Siles <DS> wrote:
Hello all, I am looking for some additional ideas for an application we are trying to use for a law enforcement application. We are currently using a product that allows us to install a software shim on a suspect's PC and then connect into the PC at any given time to perform forensic analysis. While this works great, we consistently run into the problem of personal firewalls, NAT devices, SP2, and other ACLs that prevent us from connecting into the suspect machine.
To get around this is anything but trivial. Your application can try piggybacking on "legit" traffic or try and enumerate the firewall to find open outbound ports. As you probably know there often are ports open for external communication. If you do prefer inbound connections you'd need to enumerate the suspects network settings from the inside (i.e. find out if UPnP NAT is available on the router, which firewalls are running etc.) and then communicate its findings back to a server or human somewhere. Host-based firewalls can often easily be defeated by adding a new service to the actual network layer. This is operating system dependent of course. I'll be damned if I remember what MS calls this, but it's in essence the same network hook a firewall hooks into. Similar hooks exist in most unix-like products except that they're more difficult to hide there. A few good pointers in that particular direction: http://www.securityfocus.com/news/382 - BackStealth Firewall circumvention http://www.securityfocus.com/infocus/1839 - Firewalls: Made of straw? Piercing NAT is easier nowadays. Most routers support Universal Plug&Play for NAT and thus allow you to port forward any given port to your target machine. Enterprise level routers don't commonly support this feature or have it turned off. Piercing these can IMO only be done properly with a reverse connection.
While we usually have the suspect full cooperation in the monitoring efforts and we can initally configure their network and/or PC configuration to allow this communication things get changed. Also we run into the problem with dynamic addressing changing on us, which can be a pain to keep track off unless we install some type of dyn dns solution.
If you have the suspects cooperation it might be easier for you to just drop in a "spybox". I use these every now and then, and they work like this: - Small form factor PC running linux on it - They get their IP dynamically if possible. If DHCP fails they analyze passing network traffic and grab their IP config based on a "best guess" - They "announce" themselves using DynDNS (I have my own DynDNS server for that) - Additionally they periodically try and connect back to my "monitoring machine" on a few standard ports (53,25,110,143,80,435) - They have the usual packet sniffing and ARP poisoning tools installed, just in case - They do have 2 network interfaces in case I want to chain them between a PC and a switch - They also have a wireless interface so I can hook into the machine if I am just close enough to them With these I can analyze or even record all network traffic remotely without having to install anything on the target machine. To some degree I can usually get onto some harddrives too, if the sniffer manages to crack a few passwords. The killer is the WLAN interface - I can get to it anytime I want, no matter the firewalls in the target network. [...stuff snipped...]
I am looking for something that will connect outbound, preferable covertly as a background/hidden process (e.g. fooing a netcat/cryptcat connection) to awaiting connection server or service for redirection. SSH may be the best process here, but I don't like having to open an SSH tunnel for this. The application we are using is already running encrypted traffic, so adding another layer of encryption also slows it down.
Hiding traffic is difficult at best. You can encapsulate your traffic in ICMP packets if you want, or simply in an unused protocol (PPTP or IPsec for example) - but again, to a savvy user that'll be a red flag that something is wrong. Essentially you cannot effectively hide network traffic from a cautious admin. You can disguise it as say http traffic, but even then it'll trigger if it's at unusual hours.
The capability to make this application call home will be of great benefit to many in the LEO community and if your interested in what we are doing, please feel free to contact me offlist.
Making it call home is relatively easy, depending on your budget. If in doubt, add a cellphone interface and hook into that. Don't just focus on transferring the information you're after over the suspects internet access - focus on other means of getting your data. WLAN interfaces, cellphone interfaces, even HAM Radio interfaces would work. It all depends on how much you need to hide the surveillance from the owner of that PC, and how far you want to depend on the PC running a specific OS (Windows vs. Mac vs. BSD vs. Linux). If you'd like to discuss further details please feel free to contact me off-list. Jens -- With all the fancy scientists in the world, why can't they just once build a nuclear balm?
Current thread:
- Establish persistant outbound connection for covert application David Siles (Aug 24)
- RE: Establish persistant outbound connection for covert application Burton Strauss (Aug 26)
- Re: Establish persistant outbound connection for covert application Jens Knoell (Aug 26)
- <Possible follow-ups>
- RE: Establish persistant outbound connection for covert application Beauford, Jason (Aug 26)