--- kam <kamat_private> wrote: > On Wed, Oct 16, 2002 at 03:08:49PM -0700, Jeremy > Junginger said sometin like... > > Has anyone had success in creating a program that > uses IP/TCP/UDP/ICMP ... etc. > Many people have discussed this concept, but nothing > has ever taken form. > > The problem with your idea is that it will never > work for the actual > exploitation of a system or network. If you plan on > using this medium as a > communication channel, that's one thing, but you > will never get a host > machine to respond to options in these fields. > > The endpoint machine's IP stack is going to junk any > data within those > fields, as they are not pertinent to that particular > machine (especially if > it's crap, ie, something not supposed to be in that > field.) > > In order to get a host machine to pull this out of > the packet and USE it, > you'd have to re-write the IP stack for that > machine. If you can replace an > IP stack on a machine, there's no good reason to be > doing it in the first > place, as you've already got root (or some form of > escalated privs). this is a fair point. however, the original post mentioned fooling IDS. IDS should not only detect attempted intrusions, but also successfully compromised systems talking to their new masters. this kind of approach will not make the former any harder (for the IDS) but will make the latter harder. im thinking of eg. DDOS clients. an already compromised system (with a newly modified IP stack (OK this is hard)) can report back to its handler via a covert channel. > In order for this concept to be effective against a > single host (in the case > of attempting to run a remote exploit against a > host), you'd have to have a > box in the middle with a modified stack to > intercept, decode, and not throw > away these extra bits of data. Then again, if you > can insert a new BOX on a > network, you probably aren't worried about using > such a complicated method > of compromising a host. again, good point. this approach could allow a cascade effect - compromise 1 host use the compromised host as the end of a tunnel: covert channel->regular TCP, say. then u've got a covert channel to all hosts on the network. > In a network sense- it's almost even more pointless. > A router isn't going to > understand whatever hidden commands you've got in > any field (IP option, ID, > generally unused portions of the TCP header, etc) so > they will throw it out. > Depending on when you do the actual insertion of > your data into the packet, > chances are at somepoint (if not on your machine, up > the line) someone's CRC > is going to be off and you're going to lose the > packet. Keep in mind that > not everyone runs the same network appliances, and > all stacks (unless > intentionally otherwise) act differently. Some will > recalculate the CRC with > your data, some will toss your data and recalculate, > and others still will > just toss your packet. > > All in all, a kinda cool concept, but completly > pointless. not really. its got applications, as ive outlined. IDS needs to be capable of looking in such covert channels for evidence of intrusions. alex __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com
This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 06:27:04 PDT