Re: Covert channel application using libnet and libpcap

[Frédéric Raynal <frederic.raynal () inria fr>]

 Hello,

Here are (at least) 2 articles that deal with covert channels in
network protocols.

The 1st one describes 3 ways to use TCP/IP headers to conceal
information :
Covert channels in the TCP/IP protocol suite
C. H. Rowland - March 1996
http://www.firstmonday.dk/issues/issue2_5/rowland/

This second paper studies each level of the OSI model and propose lots
of information hiding places :
Hiding Data in the OSI Network Model
T. G. Handel and M. T. Sandford II
In Workshop on Information Hiding - 1996

For those of you who can read french I showed in my PhD that these
channels are covert channel mainly because nobody have a look at these
values (TCP ISN, values of ACK ans so on). See
http://www.security-labs.org/index.php3?page=0

Two covert channels exist in ssh protocol using the padding or the
messages SSH_MSG_IGNORE. It is really covert as random data (the
padding or paylod of SSH_MSG_IGNORE) is replaced with ciphered data,
which must looks like random data. But the capacity of these channels
is not very big.

Anyway, there are so many possible channels on networks, that there is
no need to look for such tricks. For instance, you can use the period
of time used by a client to connect to a server, or the size of the
referrer in an http request, or ... whatever you want !

-- 
Frederic RAYNAL, Ph.D.
http://www.security-labs.org/
Chief Editor of M.I.S.C.
Multi-Systems & Internet Security Cookbook 

On Wed, Oct 09, 2002 at 05:53:33AM -0000, Rohit Sharma wrote:
> Am sorry for cross posting but such a "covert channel"
> can be easily build by using libnet and libpcap libraries.
>
>
> Fun under the nose:::
>
> This possibly explains how a spyware module can
> communicate with the other host and may send some
> confidential data. Neither am I sure if it has been
> implemented before but something like this is easy to
> implement in my opinion.
>
> Imagine a Watchdog client(WDC) probing some XYZ host
> after every 30 seconds for some service etc... Attach
> to the WDClient is nothing but a spyware module, now
> since WDClient generally runs in superuser mode as it
> has to alert or log etc it is easy for WDC... to make
> use of all those restircted resources. After it has the
>  confidential text it can encrypt it in some number
> form and send it in the TCP Header and not the payload.
> Yes TCP header as the acknowledgement number. It need
> not modify the payload or the actual data content. If
> the Text is too big simply fragment it and put it
> across as the different tcp acks and number the
> sequence number accordingly to reassemble the text
> properly. Actually this sounds funny or not possible
> but for any watchdog that may work over tcp it can be
> very simply implemented.
>
> Here in the libnet generated packet I am simply sending
> the text "Rohit" TCP header. Look at the
> acknowledgement field each char is it's actual position
> in the alphabetic list. R-18 o-15 etc...
> Similary in the next packet I can send something Like
> "Sharma" but with the Sequence nos 11112
>
> from the test example from the libnet project
>  /*
>      *  Build the TCP header.
>      */
>     libnet_build_tcp(src_prt,               /* Source
> TCP port */
>             dst_prt,                        /*
> Destination TCP port */
>             11111,                          /* Sequence
> number */
>             1815080920,                          /*
> Acknowledgement number */
>             TH_SYN,                         /* Control
> flags */
>             1024,                           /* Window
> size */
>             0,                              /* Urgent
> pointer */
>             NULL,                           /* Pointer
> to payload (none) */
>             0,
>             buf + LIBNET_IP_H);             /* Packet
> header memory */
>
>
>
> It is very much possible that the administrator will
> never look at the ack field for any packet that is
> generating after every 30 seconds or so. The other end
> will simply read such a packet ... to differentiate
> among the other normal packets the sequence nos
> starting with all 1's or 2's etc can differentiate well.