Re: Covert Channels

[Chris Reining <creining () packetfu org>]

A covert comm channel utilizing SAdoor is something you might want to
look into. You run SAdoor server on your owned box, which pcap filters
(non-listening mode, won't show up in a port scan for ex) looking for a
particular sequence of tcp packets. This sequence can consist of the
ports and tcp flags of your choosing and come from spoofed addresses.
When this initial sequence is completed successfully by running the
SAdoor client, the server will listen for the right combination of src
address, tcp flag, and port for the command that is to be executed. The
SAdoor client and server communicate using libblowfish by default.

http://cmn.listprojects.darklab.org/

Chris

On Wed, 16 Oct 2002 15:08:49 -0700
"Jeremy Junginger" <jjunginger () usbestcrm com> wrote:

> Has anyone had success in creating a program that uses IP/TCP/UDP/ICMP
> header information to transmit encoded messages from one host to
> another?  Shortly after reading
> http://www.firstmonday.dk/issues/issue2_5/rowland/ I was very tempted
> to put together a proof-of-concept program to demonstrate the use of
> covert channels (and more imporantly, how they could slip right by the
> IDS) with the tools I had on hand.  I ended up using nemesis (Thank
> you Mr. Grimes), tcpdump, and a little Perl script to kind of piece a
> tool together that would transmit encoded (I use that term loosely)
> ASCII data within the IP id field of the IP header.  It works okay
> until you go through a NAT device that decides to change the IPID :) 
> I wondered if anyone else has attempted to create a similar covert
> channel, and if it is even useful when you can potentially
> encrypt/tunnel many chat applications over a 3DES tunnel on basically
> any port in order to subvert a security policy.  
>
> A penny for your thoughts...
>
> Jeremy