Vince Gallo also showed how he created covert channels using valid mapi email in his Bunratty Attack presentation. A copy of the presentation is available in PDF at http://chi-publishing.com/isb/backissues/ISB_2001/ISB0605/ISB0605VG.pdf It demonstrates how one can use a valid application (in this case mapi email) to covertly communicate with and even remotely control a system on a otherwise protected network. All traffic appears to be valid email. Pretty slick. Dave McCormick daveat_private mccormicat_private 24 hours in a day, 24 beers in a case. Coincidence? On Wed, 16 Oct 2002, Erik Parker wrote: > > > Many people have discussed this concept, but nothing has ever taken form. > > > > In order to get a host machine to pull this out of the packet and USE it, > > you'd have to re-write the IP stack for that machine. If you can replace an > > IP stack on a machine, there's no good reason to be doing it in the first > > place, as you've already got root (or some form of escalated privs). > > Well.. That's not really accurate.. A few people have written programs that > let you send data in "Secret".. In Tcp headers, as well as ICMP headers.. and > the router does not toss them out, as long as their put in variable sections. > (and upd headers.. and just about everything else a router will let you send) > > In fact, there is a ICMP chat program on freshmeat, that lets you and someone > else chat to each other via icmp packets. And there certainly is a point to > it.. It's easier to bypass a crappy IDS system if you hide your data. > > There have been people who were owned, and get shell code sent to > them via little bits of shell code tacked on to the end of email spam > messages, and a service on the remote side intercepting those mails and executing the code > via direction from arp traffic. > > The overhead is a lot greater, especially if you throw encryption into it.. > and the methods are slow, but they work.. Also, in the case of ICMP traffic.. > nobody really looks at it too closely for the most part, so it's pretty easy > to stick things in there. A backdoor on a system could easily sit and watch > icmp all day looking for their command packets to come in. > > I'm not sure why you'd need to replace the IP stack on the machine.. you're > not modifying the internet protocol.. just some of the data it carries. > > Lots of ways to hide your traffic.. And technically, you could do it without > actually needing a sniffer running, if you already own the system.. Just > intercept the calls with your own functions.. > > So, I'd have to say 'completely pointless' is a improper term to use here.. > Because it is in fact, a method that has been used against some of the most > well known 'white hats' out there.. to bypass their IDS systems, and live > silently on their systems. > > > > >
This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 06:42:24 PDT