Covert Channels

Yet again, I tangent from another post and decided to just create a separate entry.

For those not familiar with a covert channel, it is best described as this: a means of transmitting information or communicating a message in a form that is undetectable. This is not to be confused with encryption, which obscures and renders a transmission undecipherable. A covert channel attempts to hide the very presence of communication, not just its contents.

There are many different implementations and goals of covert channels. Here are some examples:

  • A web server will respond with 200 OK and 400 Not Found messages in response to a number of requests. These responses can be assembled as binary bits into a valid message. i.e. 200, 200, 400, 400, 200, 400, 200, 400= 11001010 etc.
  • Data portion of an ICMP packet is filled with actual data, like shell commands to a backdoor ūüėČ
  • Specific data headers can be altered to even/odd numbers to read out 1’s or 0’s of a message in binary form.
  • etc…

Obviously this is a pretty cool mechanism. It is an excellent form of “covering your tracks” in a Penetration Test. This method is often preferred to encryption because communication is not visible unless under severe scrutiny and examination.

A cool idea floating around (and one I would like to test out) is a sniffer-covert-channel. The idea is that a compromised machine could start sniffing network traffic (aided by MAC flooding, Promiscuous mode, or even ARP/DNS poisoning, although those methods would be more detectable). This same sniffing engine would be looking for specific data, like ICMP packets carrying shell commands. It would then execute these commands. Obviously you can see  some of the added benefit over that of a simple covert channel:

  1. The destination address in the ICMP packet may not be the compromised machine, making it hard to detect which machine is actually obeying the commands.
  2. Communication with multiple compromised machines would be easily done with a single packet.

But thats something for the future.

If you are interested in using a covert channel, you can check out Loki and 007Shell for some good ones. Loki is more detectable because it does not pad the contents of the ICMP packet, whereas 007Shell will pad the remaining space. Some NIDS might flag an ICMP packet with unpadded space as an abnormal packet. (DISCLAIMER: I take no responsibility for any negative effects of these tools and their use).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: