Re: Covert Channels

From: David Litchfield (davidat_private)
Date: Fri Oct 18 2002 - 08:02:47 PDT

Next message: Jeremy Junginger: "RE: Covert Channels"

Previous message: Michal Zalewski: "RE: Covert Channels"
In reply to: Michal Zalewski: "RE: Covert Channels"
Next in thread: Michal Zalewski: "Re: Covert Channels"
Next in thread: Alex Tibbles: "Re: Covert Channels"
Reply: Michal Zalewski: "Re: Covert Channels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
> > Using covert channels with the ICMP protocol can be defeated if you know
> > what to expect and how your traffic needs to look like.
>
> Huh? It's perfectly possible to communicate over "good looking" channels
> using subtleties like timing, "acceptable" variations, etc, etc. Same with
> any other protocol - what if you limit outgoing HTTP requests only to two
> documents, /docone and /doctwo, if I can still implement a covert channel

Whilst this works on a binary level /docone = 0 and /doctwo = 1 enabling you
to channel bits it's quite network intensive. Further, by looking at the log
files one could get an idea that *something* is wrong. Here's a proposed
implementation based that helps defeat the problem of compression (less
network intensive) and the log file problem. The solution uses a Base64
encoded messages using Morse.

Index the site. Set the User Agent so it looks like a common search engine.

Treat all image files (jpegs, gifs, etc) on the web server in question as a
dot and all html docs as a dash.

Base64 encode the message. This 'message' could be binary data, ascii
strings, whatever.

The Base64 character set uses characters A-z,0-9,+,/ and for padding an
equals sign (=).

Map the latter 3 (+,/,=) to the fullstop (.-.-.-), comma (--..--) and
question mark (..--..) of the morse character set.

A GET request denotes a lower case character and a HEAD request denotes an
upper case character. (This solves the case insensitivity of the morse
character set). Numbers are treated as lowercase.

When sending a message choose one of the many file names at random returned
from the site spidering.

I'd estimate the "compression" benefits of this technique would be about 50%
(when you consider that 3 ascii chars == 4 base64 chars and a morse
"character" could take upto five requests. For example if the number 7
(--...) happened to appear in the base64 string you'd need to generate 5
requests:

GET /index.html HTTP/1.0
GET /news.html HTTP/1.0
GET /logo.gif HTTP/1.0
GET /banner.jpeg HTTP/1.0
GET /pic1.gif HTTP/1.0

(But this is still better than the 8 requests you'd need for transferring
bits ;)

Better than choosing filenames in a truly random way you could actually
associate images with html so requests don't look like they're out of sync.

For those that are worried about casual "snoopers" employing something as
simple caesar shift will keep people guessing for a few hours ;)

We'll that wraps up a perfectly good afternoon. Time for the weekend!

Cheers,
David Litchfield
http://www.nextgenss.com/

Next message: Jeremy Junginger: "RE: Covert Channels"
Previous message: Michal Zalewski: "RE: Covert Channels"
In reply to: Michal Zalewski: "RE: Covert Channels"
Next in thread: Michal Zalewski: "Re: Covert Channels"
Next in thread: Alex Tibbles: "Re: Covert Channels"
Reply: Michal Zalewski: "Re: Covert Channels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 08:22:56 PDT