> From: kam [mailto:kamat_private] > Sent: Wednesday, October 16, 2002 7:14 PM > > On Wed, Oct 16, 2002 at 03:08:49PM -0700, Jeremy Junginger said: > > Has anyone had success in creating a program that uses IP/TCP/UDP/ICMP > > header information to transmit encoded messages from one host to > > another? > The problem with your idea is that it will never work for the actual > exploitation of a system or network. If you plan on using this medium as a > communication channel, that's one thing, but you will never get a host > machine to respond to options in these fields. > > In order to get a host machine to pull this out of the packet and USE it, > you'd have to re-write the IP stack for that machine. If you can replace an > IP stack on a machine, there's no good reason to be doing it in the first > place, as you've already got root (or some form of escalated privs). The original question concerned covert channels, not penetration. (I'm not sure why Jeremy sent it to pen-test.) Penetration is a completely different issue. For covert-channel purposes, replacing the IP stacks on both end nodes may be a reasonable requirement. That said, I agree that it's tough to guarantee getting header fields through unmodified by routers, NAT, firewalls, and so forth. Most normal applications will tolerate all sorts of manipulation - rewriting addresses and ports, changing IP IDs, defragmenting IP packets or even coalescing TCP segments, and so forth - so it's entirely possible that current or future intermediate nodes will be doing so. For example, TCP segment size looks like a possible viable covert channel (though one that would produce pretty suspicious-looking traffic if you weren't very careful). Disable Nagle and send data in chunks such that the size stays under the PMTU and indicates something - trivially, send 1-256 bytes each time, where data size - 1 is the byte value you're transmitting "covertly". Hack the stack on the receiving end to report the TCP segment size. Sounds viable (if naive), but a stateful, content-inspecting firewall might preprocess TCP traffic looking for virus signatures or the like, for example, and in doing so reblock the segments. I don't know that any do so today, but I don't know that this technique would have much long-term viability. TCP flags and the like are even less likely to survive untouched for long. In any case, covert channels aren't really scarce. Remember that covert-IP-over-DNS implementation from a few years back? Michael Wojcik Principal Software Systems Developer, Micro Focus
This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 07:06:52 PDT