Vulnerability Development mailing list archives

Re: Covert Channels

From: "David Litchfield" <david () ngssoftware com>
Date: Fri, 18 Oct 2002 16:02:47 +0100

Using covert channels with the ICMP protocol can be defeated if you know
what to expect and how your traffic needs to look like.


Huh? It's perfectly possible to communicate over "good looking" channels
using subtleties like timing, "acceptable" variations, etc, etc. Same with
any other protocol - what if you limit outgoing HTTP requests only to two
documents, /docone and /doctwo, if I can still implement a covert channel


Whilst this works on a binary level /docone = 0 and /doctwo = 1 enabling you
to channel bits it's quite network intensive. Further, by looking at the log
files one could get an idea that *something* is wrong. Here's a proposed
implementation based that helps defeat the problem of compression (less
network intensive) and the log file problem. The solution uses a Base64
encoded messages using Morse.

Index the site. Set the User Agent so it looks like a common search engine.

Treat all image files (jpegs, gifs, etc) on the web server in question as a
dot and all html docs as a dash.

Base64 encode the message. This 'message' could be binary data, ascii
strings, whatever.

The Base64 character set uses characters A-z,0-9,+,/ and for padding an
equals sign (=).

Map the latter 3 (+,/,=) to the fullstop (.-.-.-), comma (--..--) and
question mark (..--..) of the morse character set.

A GET request denotes a lower case character and a HEAD request denotes an
upper case character. (This solves the case insensitivity of the morse
character set). Numbers are treated as lowercase.

When sending a message choose one of the many file names at random returned
from the site spidering.

I'd estimate the "compression" benefits of this technique would be about 50%
(when you consider that 3 ascii chars == 4 base64 chars and a morse
"character" could take upto five requests. For example if the number 7
(--...) happened to appear in the base64 string you'd need to generate 5
requests:

GET /index.html HTTP/1.0
GET /news.html HTTP/1.0
GET /logo.gif HTTP/1.0
GET /banner.jpeg HTTP/1.0
GET /pic1.gif HTTP/1.0

(But this is still better than the 8 requests you'd need for transferring
bits ;)

Better than choosing filenames in a truly random way you could actually
associate images with html so requests don't look like they're out of sync.

For those that are worried about casual "snoopers" employing something as
simple caesar shift will keep people guessing for a few hours ;)

We'll that wraps up a perfectly good afternoon. Time for the weekend!

Cheers,
David Litchfield
http://www.nextgenss.com/

Current thread:

Covert Channels Jeremy Junginger (Oct 16)
- Re: Covert Channels kam (Oct 16)
  - Re: Covert Channels Valdis . Kletnieks (Oct 17)
    - RE: Covert Channels Ofir Arkin (Oct 18)
    - RE: Covert Channels Michal Zalewski (Oct 18)
    - Re: Covert Channels David Litchfield (Oct 18)
    - Re: Covert Channels Michal Zalewski (Oct 18)
    - RE: Covert Channels Ofir Arkin (Oct 19)
    - RE: Covert Channels Michal Zalewski (Oct 19)
    - Re: Covert Channels Dragos Ruiu (Oct 21)
    - Re: Covert Channels Roland Postle (Oct 22)
    - RE: Covert Channels Roland Postle (Oct 21)
  - RE: Covert Channels Jason Barbour (Oct 17)
  - Re: Covert Channels Alex Tibbles (Oct 17)
  - Re: Covert Channels MA (Oct 17)
    - Re: Covert Channels Roland Postle (Oct 17)

(Thread continues...)