OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Erik Parker (eparker_at_mindsec.com)
Date: Wed Oct 16 2002 - 18:47:39 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > Many people have discussed this concept, but nothing has ever taken form.
    >
    > In order to get a host machine to pull this out of the packet and USE it,
    > you'd have to re-write the IP stack for that machine. If you can replace an
    > IP stack on a machine, there's no good reason to be doing it in the first
    > place, as you've already got root (or some form of escalated privs).

    Well.. That's not really accurate.. A few people have written programs that
    let you send data in "Secret".. In Tcp headers, as well as ICMP headers.. and
    the router does not toss them out, as long as their put in variable sections.
    (and upd headers.. and just about everything else a router will let you send)

    In fact, there is a ICMP chat program on freshmeat, that lets you and someone
    else chat to each other via icmp packets. And there certainly is a point to
    it.. It's easier to bypass a crappy IDS system if you hide your data.

    There have been people who were owned, and get shell code sent to
    them via little bits of shell code tacked on to the end of email spam
    messages, and a service on the remote side intercepting those mails and executing the code
    via direction from arp traffic.

    The overhead is a lot greater, especially if you throw encryption into it..
    and the methods are slow, but they work.. Also, in the case of ICMP traffic..
    nobody really looks at it too closely for the most part, so it's pretty easy
    to stick things in there. A backdoor on a system could easily sit and watch
    icmp all day looking for their command packets to come in.

    I'm not sure why you'd need to replace the IP stack on the machine.. you're
    not modifying the internet protocol.. just some of the data it carries.

    Lots of ways to hide your traffic.. And technically, you could do it without
    actually needing a sniffer running, if you already own the system.. Just
    intercept the calls with your own functions..

    So, I'd have to say 'completely pointless' is a improper term to use here..
    Because it is in fact, a method that has been used against some of the most
    well known 'white hats' out there.. to bypass their IDS systems, and live
    silently on their systems.