A covert comm channel utilizing SAdoor is something you might want to look into. You run SAdoor server on your owned box, which pcap filters (non-listening mode, won't show up in a port scan for ex) looking for a particular sequence of tcp packets. This sequence can consist of the ports and tcp flags of your choosing and come from spoofed addresses. When this initial sequence is completed successfully by running the SAdoor client, the server will listen for the right combination of src address, tcp flag, and port for the command that is to be executed. The SAdoor client and server communicate using libblowfish by default. http://cmn.listprojects.darklab.org/ Chris On Wed, 16 Oct 2002 15:08:49 -0700 "Jeremy Junginger" <jjungingerat_private> wrote: > Has anyone had success in creating a program that uses IP/TCP/UDP/ICMP > header information to transmit encoded messages from one host to > another? Shortly after reading > http://www.firstmonday.dk/issues/issue2_5/rowland/ I was very tempted > to put together a proof-of-concept program to demonstrate the use of > covert channels (and more imporantly, how they could slip right by the > IDS) with the tools I had on hand. I ended up using nemesis (Thank > you Mr. Grimes), tcpdump, and a little Perl script to kind of piece a > tool together that would transmit encoded (I use that term loosely) > ASCII data within the IP id field of the IP header. It works okay > until you go through a NAT device that decides to change the IPID :) > I wondered if anyone else has attempted to create a similar covert > channel, and if it is even useful when you can potentially > encrypt/tunnel many chat applications over a 3DES tunnel on basically > any port in order to subvert a security policy. > > A penny for your thoughts... > > Jeremy
This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 06:31:57 PDT