> > > Using covert channels with the ICMP protocol can be defeated if you know > > what to expect and how your traffic needs to look like. > > Huh? It's perfectly possible to communicate over "good looking" channels > using subtleties like timing, "acceptable" variations, etc, etc. Same with > any other protocol - what if you limit outgoing HTTP requests only to two > documents, /docone and /doctwo, if I can still implement a covert channel Whilst this works on a binary level /docone = 0 and /doctwo = 1 enabling you to channel bits it's quite network intensive. Further, by looking at the log files one could get an idea that *something* is wrong. Here's a proposed implementation based that helps defeat the problem of compression (less network intensive) and the log file problem. The solution uses a Base64 encoded messages using Morse. Index the site. Set the User Agent so it looks like a common search engine. Treat all image files (jpegs, gifs, etc) on the web server in question as a dot and all html docs as a dash. Base64 encode the message. This 'message' could be binary data, ascii strings, whatever. The Base64 character set uses characters A-z,0-9,+,/ and for padding an equals sign (=). Map the latter 3 (+,/,=) to the fullstop (.-.-.-), comma (--..--) and question mark (..--..) of the morse character set. A GET request denotes a lower case character and a HEAD request denotes an upper case character. (This solves the case insensitivity of the morse character set). Numbers are treated as lowercase. When sending a message choose one of the many file names at random returned from the site spidering. I'd estimate the "compression" benefits of this technique would be about 50% (when you consider that 3 ascii chars == 4 base64 chars and a morse "character" could take upto five requests. For example if the number 7 (--...) happened to appear in the base64 string you'd need to generate 5 requests: GET /index.html HTTP/1.0 GET /news.html HTTP/1.0 GET /logo.gif HTTP/1.0 GET /banner.jpeg HTTP/1.0 GET /pic1.gif HTTP/1.0 (But this is still better than the 8 requests you'd need for transferring bits ;) Better than choosing filenames in a truly random way you could actually associate images with html so requests don't look like they're out of sync. For those that are worried about casual "snoopers" employing something as simple caesar shift will keep people guessing for a few hours ;) We'll that wraps up a perfectly good afternoon. Time for the weekend! Cheers, David Litchfield http://www.nextgenss.com/
This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 08:22:56 PDT