CovertChannelRelik v0.1 Released!

A while ago I created a covert channel for a demonstration in a class of mine. I am now releasing the code for research purposes or those interested in seeing how one works.

I was simply trying to show how information could be passed in a completely “undetectable” manner, even if someone were actively sniffing your traffic. I ran my covert server & client, as well as Wireshark and showed how messages I was sending actually contained secret data undetectable to the human eye.

The way it works:

  • I entere a secret message to be sent and it is converted into binary.
  • I then begin sending “carrier messages”
  • the server separates the carrier message based on words. Each word’s ascii value is summed, and either left alone or appended with an invisible character. That sum is even or odd depending on the secrete message to be sent.
  • The client adds up the value of each word, and stores it as a 1, or 0. It slowly assembles the secret message as the carrier messages are received.

Go ahead and try it out. Just run the client, server and wireshark. Observe the communication and see how covert channels work!

The whole project isnt in exactly “practical” form, but it could easily be made into one. This is really just a “secret” chat client. If there is demand for this to be made more practical, I would be happy to do so. Until then, enjoy!

Download source here!

For those who just want to see the source for what makes the magic happen, here it is:

// encode msg to appropriate client-side equating of covert message
public CovertMsgBean encodeString(String msg){
StringBuffer encodedString = new StringBuffer(msg);
String[] msgList = msg.split(" ");
CovertMsgBean covertBean;
//iterates through the message, one word at a time. resents the encoding total every word.
for(int m = 0; m < msgList.length; m++){
encodeTotal = 0;
//iterates through that word one character at a time, then sums them up.
for(int i = 0; i < msgList[m].length(); i++){
encodeTotal += msgList[m].charAt(i);
}
//if we has sent the whole message, break.
if(covertSendingCounter == covertMsgBinary.length()){
for(int s = 0; s < (msgList.length - m); s++){
msgList[(msgList.length-1) - s] = " "; // might be s < m something
}
break;
}
//System.out.println("Encoded Message Total is " + encodeTotal);

//If the encoded total is correct for the next bit in the covert message's binary form, then its good...
if ((int)(encodeTotal % 2) == Integer.parseInt(String.valueOf(covertMsgBinary.charAt(covertSendingCounter)))){
//System.out.println("Current point in secret message: " + covertMsgBinary.charAt(covertSendingCounter)+ " and index " + covertSendingCounter);
} else {
//... if not, add the buffer to that specific message
msgList[m] = msgList[m] + DEFAULT_BUFFER;
}
covertSendingCounter++;
}
//wrap the array of words into one single string for sending
String listMsg = new String();
for(int j = 0; j < msgList.length; j++){
listMsg += msgList[j];
if(j != msgList.length){
listMsg += " ";
}
}
encodedString = new StringBuffer(listMsg);
covertBean = new CovertMsgBean(encodedString);
return covertBean;
}

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: