Penetration Testing mailing list archives
Re: Covert Channels
From: Dave McCormick <mccormic () thunder xecu net>
Date: Thu, 17 Oct 2002 09:27:41 -0400 (EDT)
Vince Gallo also showed how he created covert channels using valid mapi email in his Bunratty Attack presentation. A copy of the presentation is available in PDF at http://chi-publishing.com/isb/backissues/ISB_2001/ISB0605/ISB0605VG.pdf It demonstrates how one can use a valid application (in this case mapi email) to covertly communicate with and even remotely control a system on a otherwise protected network. All traffic appears to be valid email. Pretty slick. Dave McCormick dave () fred net mccormic () xecu net 24 hours in a day, 24 beers in a case. Coincidence? On Wed, 16 Oct 2002, Erik Parker wrote:
Many people have discussed this concept, but nothing has ever taken form. In order to get a host machine to pull this out of the packet and USE it, you'd have to re-write the IP stack for that machine. If you can replace an IP stack on a machine, there's no good reason to be doing it in the first place, as you've already got root (or some form of escalated privs).Well.. That's not really accurate.. A few people have written programs that let you send data in "Secret".. In Tcp headers, as well as ICMP headers.. and the router does not toss them out, as long as their put in variable sections. (and upd headers.. and just about everything else a router will let you send) In fact, there is a ICMP chat program on freshmeat, that lets you and someone else chat to each other via icmp packets. And there certainly is a point to it.. It's easier to bypass a crappy IDS system if you hide your data. There have been people who were owned, and get shell code sent to them via little bits of shell code tacked on to the end of email spam messages, and a service on the remote side intercepting those mails and executing the code via direction from arp traffic. The overhead is a lot greater, especially if you throw encryption into it.. and the methods are slow, but they work.. Also, in the case of ICMP traffic.. nobody really looks at it too closely for the most part, so it's pretty easy to stick things in there. A backdoor on a system could easily sit and watch icmp all day looking for their command packets to come in. I'm not sure why you'd need to replace the IP stack on the machine.. you're not modifying the internet protocol.. just some of the data it carries. Lots of ways to hide your traffic.. And technically, you could do it without actually needing a sniffer running, if you already own the system.. Just intercept the calls with your own functions.. So, I'd have to say 'completely pointless' is a improper term to use here.. Because it is in fact, a method that has been used against some of the most well known 'white hats' out there.. to bypass their IDS systems, and live silently on their systems.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Covert Channels Jeremy Junginger (Oct 17)
- Re: Covert Channels Craig Baltes (Oct 17)
- <Possible follow-ups>
- Re: Covert Channels Dave McCormick (Oct 17)