A friend of mine and I had once talked about a data transfer package using the ICMP payload (16 bytes I seem to recall) to get around the traffic limitations imposed on us when we were students. Since the data limits didn't count ICMP packets we didn't really care that all traffic was doubled. Although the fact that the other host sends the data back eliminates the need for an acknowledgement. At the time, I didn't know enough about network programming to have any idea about how to get the ICMP payload on the receiving end so it was left at that: just an idea. I had forgotten it until now though. Perhaps I'll write something up in the near future. -CJO- ----- Charles Oster: CCNA, CCDA, A+, Linux+ Certified Network/IT Technician (lordvadr@devonshire-realty.com) Devonshire Group, Inc 201 W. Springfield, 4th fl. Champaign, IL 61820 PGP: 87D5 4216 43A1 42D6 754D 8F5E 24B3 992A B7A1 F556 [afghanistan ~]# rm -rf /bin/laden [afghanistan ~]# ----- Original Message ----- From: "Jeremy Junginger" <jjungingerat_private> To: <vuln-devat_private>; <pen-testat_private> Sent: Wednesday, October 16, 2002 5:08 PM Subject: Covert Channels > Has anyone had success in creating a program that uses IP/TCP/UDP/ICMP > header information to transmit encoded messages from one host to > another? Shortly after reading > http://www.firstmonday.dk/issues/issue2_5/rowland/ I was very tempted to > put together a proof-of-concept program to demonstrate the use of covert > channels (and more imporantly, how they could slip right by the IDS) > with the tools I had on hand. I ended up using nemesis (Thank you Mr. > Grimes), tcpdump, and a little Perl script to kind of piece a tool > together that would transmit encoded (I use that term loosely) ASCII > data within the IP id field of the IP header. It works okay until you > go through a NAT device that decides to change the IPID :) I wondered > if anyone else has attempted to create a similar covert channel, and if > it is even useful when you can potentially encrypt/tunnel many chat > applications over a 3DES tunnel on basically any port in order to > subvert a security policy. > > A penny for your thoughts... > > Jeremy > > >
This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 06:31:01 PDT