Re: Covert Channels

From: CJ Oster (cjoat_private)
Date: Wed Oct 16 2002 - 17:40:00 PDT

Next message: MA: "Re: Covert Channels"

Previous message: Alex Tibbles: "Re: Covert Channels"
In reply to: Jeremy Junginger: "Covert Channels"
Next in thread: Dave McCormick: "Re: Covert Channels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A friend of mine and I had once talked about a data transfer package using
the ICMP payload (16 bytes I seem to recall) to get around the traffic
limitations imposed on us when we were students.  Since the data limits
didn't count ICMP packets we didn't really care that all traffic was
doubled.  Although the fact that the other host sends the data back
eliminates the need for an acknowledgement.  At the time, I didn't know
enough about network programming to have any idea about how to get the ICMP
payload on the receiving end so it was left at that: just an idea.  I had
forgotten it until now though.  Perhaps I'll write something up in the near
future.

-CJO-

-----
 Charles Oster: CCNA, CCDA, A+, Linux+ Certified
 Network/IT Technician (lordvadr@devonshire-realty.com)

 Devonshire Group, Inc
 201 W. Springfield, 4th fl.
 Champaign, IL 61820

 PGP: 87D5 4216 43A1 42D6 754D  8F5E 24B3 992A B7A1 F556

 [afghanistan ~]# rm -rf /bin/laden
 [afghanistan ~]#


----- Original Message -----
From: "Jeremy Junginger" <jjungingerat_private>
To: <vuln-devat_private>; <pen-testat_private>
Sent: Wednesday, October 16, 2002 5:08 PM
Subject: Covert Channels


> Has anyone had success in creating a program that uses IP/TCP/UDP/ICMP
> header information to transmit encoded messages from one host to
> another?  Shortly after reading
> http://www.firstmonday.dk/issues/issue2_5/rowland/ I was very tempted to
> put together a proof-of-concept program to demonstrate the use of covert
> channels (and more imporantly, how they could slip right by the IDS)
> with the tools I had on hand.  I ended up using nemesis (Thank you Mr.
> Grimes), tcpdump, and a little Perl script to kind of piece a tool
> together that would transmit encoded (I use that term loosely) ASCII
> data within the IP id field of the IP header.  It works okay until you
> go through a NAT device that decides to change the IPID :)  I wondered
> if anyone else has attempted to create a similar covert channel, and if
> it is even useful when you can potentially encrypt/tunnel many chat
> applications over a 3DES tunnel on basically any port in order to
> subvert a security policy.
>
> A penny for your thoughts...
>
> Jeremy
>
>
>

Next message: MA: "Re: Covert Channels"
Previous message: Alex Tibbles: "Re: Covert Channels"
In reply to: Jeremy Junginger: "Covert Channels"
Next in thread: Dave McCormick: "Re: Covert Channels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 06:31:01 PDT