Re: Covert Channels

From: Syzop (syzat_private)
Date: Thu Oct 17 2002 - 07:04:29 PDT

Next message: Craig Baltes: "Re: Covert Channels"

Previous message: Michael Wojcik: "RE: Covert Channels"
Next in thread: Craig Baltes: "Re: Covert Channels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Erik Parker wrote:

> > Many people have discussed this concept, but nothing has ever taken form.
> >
> > In order to get a host machine to pull this out of the packet and USE it,
> > you'd have to re-write the IP stack for that machine. If you can replace an
> > IP stack on a machine, there's no good reason to be doing it in the first
> > place, as you've already got root (or some form of escalated privs).
>
> Well.. That's not really accurate.. A few people have written programs that
> let you send data in "Secret".. In Tcp headers, as well as ICMP headers.. and
> the router does not toss them out, as long as their put in variable sections.
> (and upd headers.. and just about everything else a router will let you send)
>
> In fact, there is a ICMP chat program on freshmeat, that lets you and someone
> else chat to each other via icmp packets.  And there certainly is a point to
> it.. It's easier to bypass a crappy IDS system if you hide your data.

To a certain degree you can detect this because of the amount of "weird packets"
on your network, things like Spade[1] (experimental, but you get the idea) can be
used for that.
However, you could send the packets slowly + known protocols/ports and
try to stay below the "warning level"... Could be usefull for status reports or small
amounts of data you want to receive slowly.... Like (password) sniffer results,
or whatever...

> There have been people who were owned, and get shell code sent to
> them via little bits of shell code tacked on to the end of email spam
> messages, and a service on the remote side intercepting those mails and executing the code
> via direction from arp traffic.

And how did you jump to or execute this shellcode? You should have other shellcode
to do that, right? If so, why sending the 2nd shellcode in such a weird way?
Maybe I misunderstood but this sounds weird to me...
shellcode via spam, arp redirection, huh? :).

Cya,

    Bram Matthys (Syzop).

[1] http://www.silicondefense.com/software/spice/

Next message: Craig Baltes: "Re: Covert Channels"
Previous message: Michael Wojcik: "RE: Covert Channels"
Next in thread: Craig Baltes: "Re: Covert Channels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 07:13:38 PDT