RE: For those interested in covert channels

["Abe Getchell" <me () abegetchell com>]

Hey,

Cool concept, and I know it's just a POC, but it should be noted that there
are a couple of problems with this in practical implementation. First, data
being present within a SYN packet will (should) likely be seen as an anomaly
by a firewall or IDS. There is a high probability of such a packet being
dropped by a firewall or generating an alert on an IDS. You mention this in
your blog post. Second, a number of "out of state" packets to random ports
over even a long period of time is most likely going to trigger an alert (or
several alerts) on an IDS for port scanning (sfPortscan preprocessor in
Snort for example) or be seen by a firewall as a DoS attack and potentially
block subsequent communication. All of these things would lead to this
covert channel being expressly _not_ covert.

Personally, I've had better luck with covert channels when they are
parasitic in nature. For example, encrypting and encoding data to pack into
an SMTP header such as X-Spam-Report; this is pretty much the wild west as
far as SMTP headers go. Even with as heavily inspected and filtered a
protocol as SMTP is today, I've yet to encounter a product that will block
or alert on something packed into this header due to the unstructured nature
of the data that can be contained within. More on topic to the list, I've
had great success using this technique to exfiltrate data from networks
which have good outbound filtering rules in place at the border. I'm working
on an article which talks about this technique in a little more detail (and
uses a Perl script I wrote that actually does it) which will hopefully see
publication soon.

Abe

--
Abe Getchell
me () abegetchell com
https://abegetchell.com/

> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com] On Behalf Of nights shadow
> Sent: Thursday, December 25, 2008 2:14 AM
> To: pen-test
> Subject: For those interested in covert channels
>
> Hi list, I wrote a quick post about a time when I needed to create a
> secure form of communication without any messenger clients.
>
> The post's name is "Guide to Encrypted Covert Channels" and it's
> located at:
> http://turboborland.blogspot.com/2008/12/guide-to-encrypted-dynamic-
> covert.html
>
> I hope it provides some entertainment for those who've worked with
> covert channels before or those just generally curious.  This was my
> first time creating one and it was pretty fun communicating securely
> with only needing to be on the same network.  Any and all comments
> appreciated.
>
> -----------------------------------------------------------------------
> -
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> -----------------------------------------------------------------------
> -



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------