OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Michael Wojcik (Michael.Wojcik_at_microfocus.com)
Date: Thu Oct 17 2002 - 08:58:39 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > From: kam [mailto:kamaversion.net]
    > Sent: Wednesday, October 16, 2002 7:14 PM
    >
    > On Wed, Oct 16, 2002 at 03:08:49PM -0700, Jeremy Junginger said:
    > > Has anyone had success in creating a program that uses IP/TCP/UDP/ICMP
    > > header information to transmit encoded messages from one host to
    > > another?

    > The problem with your idea is that it will never work for the actual
    > exploitation of a system or network. If you plan on using this medium as a
    > communication channel, that's one thing, but you will never get a host
    > machine to respond to options in these fields.
    >
    > In order to get a host machine to pull this out of the packet and USE it,
    > you'd have to re-write the IP stack for that machine. If you can replace
    an
    > IP stack on a machine, there's no good reason to be doing it in the first
    > place, as you've already got root (or some form of escalated privs).

    The original question concerned covert channels, not penetration. (I'm not
    sure why Jeremy sent it to pen-test.) Penetration is a completely different
    issue.

    For covert-channel purposes, replacing the IP stacks on both end nodes may
    be a reasonable requirement.

    That said, I agree that it's tough to guarantee getting header fields
    through unmodified by routers, NAT, firewalls, and so forth. Most normal
    applications will tolerate all sorts of manipulation - rewriting addresses
    and ports, changing IP IDs, defragmenting IP packets or even coalescing TCP
    segments, and so forth - so it's entirely possible that current or future
    intermediate nodes will be doing so.

    For example, TCP segment size looks like a possible viable covert channel
    (though one that would produce pretty suspicious-looking traffic if you
    weren't very careful). Disable Nagle and send data in chunks such that the
    size stays under the PMTU and indicates something - trivially, send 1-256
    bytes each time, where data size - 1 is the byte value you're transmitting
    "covertly". Hack the stack on the receiving end to report the TCP segment
    size. Sounds viable (if naive), but a stateful, content-inspecting firewall
    might preprocess TCP traffic looking for virus signatures or the like, for
    example, and in doing so reblock the segments. I don't know that any do so
    today, but I don't know that this technique would have much long-term
    viability.

    TCP flags and the like are even less likely to survive untouched for long.

    In any case, covert channels aren't really scarce. Remember that
    covert-IP-over-DNS implementation from a few years back?

    Michael Wojcik
    Principal Software Systems Developer, Micro Focus