Penetration Testing mailing list archives

Re: For those interested in covert channels

From: "Dante Signal31" <dante.signal31 () gmail com>
Date: Tue, 30 Dec 2008 12:17:50 +0100

2008/12/25 nights shadow <nights.shadow () gmail com>:

Hi list, I wrote a quick post about a time when I needed to create a
secure form of communication without any messenger clients.

The post's name is "Guide to Encrypted Covert Channels" and it's located at:
http://turboborland.blogspot.com/2008/12/guide-to-encrypted-dynamic-covert.html

I hope it provides some entertainment for those who've worked with
covert channels before or those just generally curious.  This was my
first time creating one and it was pretty fun communicating securely
with only needing to be on the same network.  Any and all comments
appreciated.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


Pretty interesting article. The problem I see with that protocol is
that you rely on an unshielded network. I mean, if you have internal
firewalls between your endpoints they would limit open ports you can
use, reducing drastically your alphabet size. You may use a binary
port encoding, a combination of tries in eight ports may give you the
ASCII alphabet... problem is that sometimes you don't have even those
eight ports open and you need to be aware of time related issues with
this approach.

Maybe you'd like to read one of my blog articles written some time ago
(25 Oct) about network steganography [1] .

There I explain (and implement with python code) some ways to create
covert channels in usual network traffic. I detail data hidding in
ping data fields, in ID IP header field, in ISN TCP header and with
ASN header in TCP. The later is pretty interesting because I implement
an indirect covert channel connecting two endpoints through a
middleserver which can be useful to circumvent firewall filtering
rules and IDS detection. Besides, I think my python code can be useful
to you as an starting point to automate your protocol. Please, tell me
if you do it to announce it in my blog :)


References:
[1] http://danteslab.blogspot.com/2008/10/esteganografa-de-red.html


-- 
Dante
(http://danteslab.blogspot.com/)

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Current thread:

For those interested in covert channels nights shadow (Dec 27)
- Re: For those interested in covert channels Steffen Wendzel (Dec 28)
- RE: For those interested in covert channels Abe Getchell (Dec 29)
- Re: For those interested in covert channels Dante Signal31 (Dec 30)
- <Possible follow-ups>
- Re: Re: For those interested in covert channels nights . shadow (Dec 30)