[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?

To: Full Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
From: Bernhard Mueller <research@xxxxxxxxxxxxxxx>
Date: Thu, 06 Oct 2005 14:27:38 +0200

if you have system access, why not capture packets at kernel level,
BEFORE they reach the firewall. your approach seems to be very noisy ;)

PASTOR ADRIAN wrote:
> Sometime ago I thought of the following idea for a covert channel.it would be 
> better to intercept packets at kernel level BEFORE they 
> Although the idea of covert channels is *not* new at all, I couldn't
> find anything in Google related to the following method of implementing
> a covert channel.
>  
> The scenario is the following. The victim is a host with a host-level
> firewall which is blocking *all* incoming traffic. Somehow the attacker
> still needs to communicate with a backdoor planted in this host. Use a
> reverse shell and job done, you might say.
> Actually, there is another way which I thought would be more creative
> (IMHO).
>  
> It works like this: the backdoor enables logging in the host-level
> firewall for all dropped packets, say Windows XP SP2 Firewall. Then the
> backdoor receives commands from the attacker by interpreting the
> properties of the dropped packets which were logged by the firewall. In
> other words, the backdoor is constantly reading the logs and parsing
> commands which were sent by the attacker embedded in packets which are
> being dropped (but logged) by the firewall.
> 
> attacker sends packets -> packets are dropped by firewall -> packets
> properties are captured in logs  -> backdoor reads logs and finds
> encoded commands -> commands are executed
> 
> Now, for the way the backdoor would reply back to the victim is really
> up to you. One method that comes to my mind is by posting the responses
> to a PHP script which is located in some free-hosting webpage. The
> attacker would then access this webpage.
>  
> Please, if you know anything related to backdoors intercepting commands
> from log files send me some links. Ideas, comments and flames are more
> than welcome :-) .
> 
> Regards,
> pagvac (Adrian Pastor)
> Earth, SOLAR SYSTEM
> www.adrianpv.com <http://www.adrianpv.com>
> www.ikwt.com <http://www.ikwt.com> (In Knowledge We Trust)
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


-- 
_____________________________________________________

~  DI (FH) Bernhard Mueller
~  IT Security Consultant

~  SEC-Consult Unternehmensberatung GmbH
~  www.sec-consult.com

~  A-1080 Wien  Blindengasse 3
~  Tel:   +43/676/840301718
~  Fax:   +43/(0)1/4090307-590
______________________________________________________
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
  - From: PASTOR ADRIAN

Prev by Date: Re: [Full-disclosure] Interesting idea for a covert channel or I justdidn't research enough?
Next by Date: [Full-disclosure] Re: Interesting idea for a covert channel or I just didn't research enough?
Previous by thread: Re: [Full-disclosure] Interesting idea for a covert channel or I justdidn't research enough?
Next by thread: [Full-disclosure] Re: Interesting idea for a covert channel or I just didn't research enough?
Index(es):
- Date
- Thread