Vulnerability Development mailing list archives
RE: Covert Channels
From: Michael Wojcik <Michael.Wojcik () microfocus com>
Date: Thu, 17 Oct 2002 06:58:39 -0700
From: kam [mailto:kam () aversion net] Sent: Wednesday, October 16, 2002 7:14 PM On Wed, Oct 16, 2002 at 03:08:49PM -0700, Jeremy Junginger said:Has anyone had success in creating a program that uses IP/TCP/UDP/ICMP header information to transmit encoded messages from one host to another?
The problem with your idea is that it will never work for the actual exploitation of a system or network. If you plan on using this medium as a communication channel, that's one thing, but you will never get a host machine to respond to options in these fields. In order to get a host machine to pull this out of the packet and USE it, you'd have to re-write the IP stack for that machine. If you can replace
an
IP stack on a machine, there's no good reason to be doing it in the first place, as you've already got root (or some form of escalated privs).
The original question concerned covert channels, not penetration. (I'm not sure why Jeremy sent it to pen-test.) Penetration is a completely different issue. For covert-channel purposes, replacing the IP stacks on both end nodes may be a reasonable requirement. That said, I agree that it's tough to guarantee getting header fields through unmodified by routers, NAT, firewalls, and so forth. Most normal applications will tolerate all sorts of manipulation - rewriting addresses and ports, changing IP IDs, defragmenting IP packets or even coalescing TCP segments, and so forth - so it's entirely possible that current or future intermediate nodes will be doing so. For example, TCP segment size looks like a possible viable covert channel (though one that would produce pretty suspicious-looking traffic if you weren't very careful). Disable Nagle and send data in chunks such that the size stays under the PMTU and indicates something - trivially, send 1-256 bytes each time, where data size - 1 is the byte value you're transmitting "covertly". Hack the stack on the receiving end to report the TCP segment size. Sounds viable (if naive), but a stateful, content-inspecting firewall might preprocess TCP traffic looking for virus signatures or the like, for example, and in doing so reblock the segments. I don't know that any do so today, but I don't know that this technique would have much long-term viability. TCP flags and the like are even less likely to survive untouched for long. In any case, covert channels aren't really scarce. Remember that covert-IP-over-DNS implementation from a few years back? Michael Wojcik Principal Software Systems Developer, Micro Focus
Current thread:
- Re: Covert Channels, (continued)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Frank Knobbe (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Frank Knobbe (Oct 23)
- Re: Covert Channels Anton Aylward (Oct 23)
- Re: Covert Channels Roland Postle (Oct 24)
- RE: Covert Channels Omar Herrera (Oct 23)
- RE: Covert Channels Michal Zalewski (Oct 23)
- RE: Covert Channels Richard Masoner (Oct 23)
- RE: Covert Channels Omar Herrera (Oct 23)
- Re: Covert Channels Timothy J. Miller (Oct 23)
- Re: Covert Channels David Wagner (Oct 24)