Vulnerability Development mailing list archives
Re: Covert Channels
From: Chris Reining <creining () packetfu org>
Date: Thu, 17 Oct 2002 22:29:44 -0500
A covert comm channel utilizing SAdoor is something you might want to look into. You run SAdoor server on your owned box, which pcap filters (non-listening mode, won't show up in a port scan for ex) looking for a particular sequence of tcp packets. This sequence can consist of the ports and tcp flags of your choosing and come from spoofed addresses. When this initial sequence is completed successfully by running the SAdoor client, the server will listen for the right combination of src address, tcp flag, and port for the command that is to be executed. The SAdoor client and server communicate using libblowfish by default. http://cmn.listprojects.darklab.org/ Chris On Wed, 16 Oct 2002 15:08:49 -0700 "Jeremy Junginger" <jjunginger () usbestcrm com> wrote:
Has anyone had success in creating a program that uses IP/TCP/UDP/ICMP header information to transmit encoded messages from one host to another? Shortly after reading http://www.firstmonday.dk/issues/issue2_5/rowland/ I was very tempted to put together a proof-of-concept program to demonstrate the use of covert channels (and more imporantly, how they could slip right by the IDS) with the tools I had on hand. I ended up using nemesis (Thank you Mr. Grimes), tcpdump, and a little Perl script to kind of piece a tool together that would transmit encoded (I use that term loosely) ASCII data within the IP id field of the IP header. It works okay until you go through a NAT device that decides to change the IPID :) I wondered if anyone else has attempted to create a similar covert channel, and if it is even useful when you can potentially encrypt/tunnel many chat applications over a 3DES tunnel on basically any port in order to subvert a security policy. A penny for your thoughts... Jeremy
Current thread:
- RE: Covert Channels, (continued)
- RE: Covert Channels Jason Barbour (Oct 17)
- Re: Covert Channels Alex Tibbles (Oct 17)
- Re: Covert Channels MA (Oct 17)
- Re: Covert Channels Roland Postle (Oct 17)
- RE: Covert Channels Dom De Vitto (Oct 17)
- RE: Covert Channels Jeff Nathan (Oct 19)
- RE: Covert Channels Dom De Vitto (Oct 19)
- Re: Covert Channels Craig Baltes (Oct 17)
- Re: Covert Channels CJ Oster (Oct 17)
- Re: Covert Channels Rohit Sharma (Oct 17)
- Re: Covert Channels Chris Reining (Oct 18)
- Re: Covert Channels Darryl Luff (Oct 18)
- Re: Covert Channels Valdis . Kletnieks (Oct 18)
- Re: Covert Channels Jeff Nathan (Oct 19)
- Re: Covert Channels Frank Knobbe (Oct 23)
- Re: Covert Channels Jose Nazario (Oct 23)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- RE: Covert Channels Omar Herrera (Oct 23)
- Re: Covert Channels Jose Nazario (Oct 23)