Security Basics mailing list archives

Re: covert channel

From: Roman Shirokov <insecure () yandex ru>
Date: Fri, 12 Jan 2007 09:58:21 +0000

Hi,

Tuesday, January 2, 2007, 7:28:32 PM, you wrote:

Hi

With "ping" I send the HEX value "FFE". When I running tcpdump I don't
see the HEX value (snap-lenght is hole packet)

# ping -c 1 -p FFE 192.168.111.111
PATTERN: 0xff0e
PING 192.168.111.111 (192.168.111.111) 56(84) bytes of data.
64 bytes from 192.168.111.111: icmp_seq=1 ttl=64 time=0.646 ms

--- 192.168.111.111 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.646/0.646/0.646/0.000 ms

# tcpdump -s0 -i eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:21:11.448937 IP 192.168.111.115 > 192.168.111.111: ICMP echo
request, id 12826, seq 1, length 64
20:21:11.449555 IP 192.168.111.111 > 192.168.111.115: ICMP echo reply,
id 12826, seq 1, length 64


You need to dump the whole packet and then look at DATA section, e.g.

Dump of the whole packet, section data begins at 'dc 55'


0000   00 18 de c2 4c e7 00 18 8b 41 33 35 08 00 45 00  ....L....A35..E.
0010   00 54 00 00 40 00 40 01 24 87 0a 0a 01 03 0a 0a  .T..@.@.$.......
0020   01 0c 08 00 e4 1c 22 0b 00 01 dc 55 a7 45 82 d3  ......"....U.E..
0030   02 00 ff 0e ff 0e ff 0e ff 0e ff 0e ff 0e ff 0e  ................
0040   ff 0e ff 0e ff 0e ff 0e ff 0e ff 0e ff 0e ff 0e  ................
0050   ff 0e ff 0e ff 0e ff 0e ff 0e ff 0e ff 0e ff 0e  ................
0060   ff 0e


Try to use tcpdump with flags -v -x
-- 
Best regards,

Roman Shirokov

e-mail:insecure () yandex ru
http://securitybox.org.ru 


If you have explorer.exe running then your machine is infected with Windows(TM)


---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------

Current thread:

covert channel urandom character special device (Jan 02)
- Re: covert channel Deian Stefan (Jan 04)
- Re: covert channel Roman Shirokov (Jan 15)
- <Possible follow-ups>
- FW: covert channel Murda Mcloud (Jan 04)