Vulnerability Development mailing list archives

Re: Covert Channels

From: "CJ Oster" <cjo () dothe12 com>
Date: Wed, 16 Oct 2002 19:40:00 -0500

A friend of mine and I had once talked about a data transfer package using
the ICMP payload (16 bytes I seem to recall) to get around the traffic
limitations imposed on us when we were students.  Since the data limits
didn't count ICMP packets we didn't really care that all traffic was
doubled.  Although the fact that the other host sends the data back
eliminates the need for an acknowledgement.  At the time, I didn't know
enough about network programming to have any idea about how to get the ICMP
payload on the receiving end so it was left at that: just an idea.  I had
forgotten it until now though.  Perhaps I'll write something up in the near
future.

-CJO-

-----
 Charles Oster: CCNA, CCDA, A+, Linux+ Certified
 Network/IT Technician (lordvadr () devonshire-realty com)

 Devonshire Group, Inc
 201 W. Springfield, 4th fl.
 Champaign, IL 61820

 PGP: 87D5 4216 43A1 42D6 754D  8F5E 24B3 992A B7A1 F556

 [afghanistan ~]# rm -rf /bin/laden
 [afghanistan ~]#


----- Original Message -----
From: "Jeremy Junginger" <jjunginger () usbestcrm com>
To: <vuln-dev () securityfocus com>; <pen-test () securityfocus com>
Sent: Wednesday, October 16, 2002 5:08 PM
Subject: Covert Channels

Has anyone had success in creating a program that uses IP/TCP/UDP/ICMP
header information to transmit encoded messages from one host to
another?  Shortly after reading
http://www.firstmonday.dk/issues/issue2_5/rowland/ I was very tempted to
put together a proof-of-concept program to demonstrate the use of covert
channels (and more imporantly, how they could slip right by the IDS)
with the tools I had on hand.  I ended up using nemesis (Thank you Mr.
Grimes), tcpdump, and a little Perl script to kind of piece a tool
together that would transmit encoded (I use that term loosely) ASCII
data within the IP id field of the IP header.  It works okay until you
go through a NAT device that decides to change the IPID :)  I wondered
if anyone else has attempted to create a similar covert channel, and if
it is even useful when you can potentially encrypt/tunnel many chat
applications over a 3DES tunnel on basically any port in order to
subvert a security policy.

A penny for your thoughts...

Jeremy

Current thread:

Re: Covert Channels, (continued)
- - - Re: Covert Channels Roland Postle (Oct 22)
    - RE: Covert Channels Roland Postle (Oct 21)
  - RE: Covert Channels Jason Barbour (Oct 17)
  - Re: Covert Channels Alex Tibbles (Oct 17)
  - Re: Covert Channels MA (Oct 17)
    - Re: Covert Channels Roland Postle (Oct 17)
  - RE: Covert Channels Dom De Vitto (Oct 17)
    - RE: Covert Channels Jeff Nathan (Oct 19)
    - RE: Covert Channels Dom De Vitto (Oct 19)
- Re: Covert Channels Craig Baltes (Oct 17)
- Re: Covert Channels CJ Oster (Oct 17)
- Re: Covert Channels Rohit Sharma (Oct 17)
- Re: Covert Channels Chris Reining (Oct 18)
- Re: Covert Channels Darryl Luff (Oct 18)
  - Re: Covert Channels Valdis . Kletnieks (Oct 18)
  - Re: Covert Channels Jeff Nathan (Oct 19)
- Re: Covert Channels Frank Knobbe (Oct 23)
  - Re: Covert Channels Jose Nazario (Oct 23)
    - Re: Covert Channels Blue Boar (Oct 23)
    - Re: Covert Channels Michal Zalewski (Oct 23)
    - Re: Covert Channels Blue Boar (Oct 23)

(Thread continues...)