Penetration Testing mailing list archives
RE: For those interested in covert channels
From: "Abe Getchell" <me () abegetchell com>
Date: Mon, 29 Dec 2008 10:08:49 -0500
Hey, Cool concept, and I know it's just a POC, but it should be noted that there are a couple of problems with this in practical implementation. First, data being present within a SYN packet will (should) likely be seen as an anomaly by a firewall or IDS. There is a high probability of such a packet being dropped by a firewall or generating an alert on an IDS. You mention this in your blog post. Second, a number of "out of state" packets to random ports over even a long period of time is most likely going to trigger an alert (or several alerts) on an IDS for port scanning (sfPortscan preprocessor in Snort for example) or be seen by a firewall as a DoS attack and potentially block subsequent communication. All of these things would lead to this covert channel being expressly _not_ covert. Personally, I've had better luck with covert channels when they are parasitic in nature. For example, encrypting and encoding data to pack into an SMTP header such as X-Spam-Report; this is pretty much the wild west as far as SMTP headers go. Even with as heavily inspected and filtered a protocol as SMTP is today, I've yet to encounter a product that will block or alert on something packed into this header due to the unstructured nature of the data that can be contained within. More on topic to the list, I've had great success using this technique to exfiltrate data from networks which have good outbound filtering rules in place at the border. I'm working on an article which talks about this technique in a little more detail (and uses a Perl script I wrote that actually does it) which will hopefully see publication soon. Abe -- Abe Getchell me () abegetchell com https://abegetchell.com/
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of nights shadow Sent: Thursday, December 25, 2008 2:14 AM To: pen-test Subject: For those interested in covert channels Hi list, I wrote a quick post about a time when I needed to create a secure form of communication without any messenger clients. The post's name is "Guide to Encrypted Covert Channels" and it's located at: http://turboborland.blogspot.com/2008/12/guide-to-encrypted-dynamic- covert.html I hope it provides some entertainment for those who've worked with covert channels before or those just generally curious. This was my first time creating one and it was pretty fun communicating securely with only needing to be on the same network. Any and all comments appreciated. ----------------------------------------------------------------------- - This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ----------------------------------------------------------------------- -
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- For those interested in covert channels nights shadow (Dec 27)
- Re: For those interested in covert channels Steffen Wendzel (Dec 28)
- RE: For those interested in covert channels Abe Getchell (Dec 29)
- Re: For those interested in covert channels Dante Signal31 (Dec 30)
- <Possible follow-ups>
- Re: Re: For those interested in covert channels nights . shadow (Dec 30)