[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
- To: PASTOR ADRIAN <M123303@xxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
- From: mudge <mudge@xxxxxxxxxxx>
- Date: Thu, 6 Oct 2005 10:22:07 -0400
What you describe would be a variant of 'dead-drop' covert channels.
Other examples would be:
. The use of public message boards where one program/person initiates
a connection out to the board and posts a message with particular
words/phrases/passages and another program/person scans said message
board looking for the 'encoded' messages.
. Web servers that have readable log files where one end of the
covert channel accesses certain web pages (existent or non-existent)
in a particular order and the other end looks for this message (or
alternatively has various combinations of request parameters in the
query strings which encodes commands or messages).
. etc. etc.
This type of covert channel has long been used by various governments
and organizations (think of clandestine messages being passed to or
from agents via personal ads). So, this is not a novel idea but you
are correct, there does not exist a tremendous amount of literature
on the subject - particularly in the public infosec/comsec communities.
A large percentage of 'dead-drop' covert channels will rely on a
shared 'code-book' between both parties.
cheers,
.mudge
On Oct 6, 2005, at 5:06 AM, PASTOR ADRIAN wrote:
Sometime ago I thought of the following idea for a covert channel.
Although the idea of covert channels is *not* new at all, I
couldn't find anything in Google related to the following method of
implementing a covert channel.
The scenario is the following. The victim is a host with a host-
level firewall which is blocking *all* incoming traffic. Somehow
the attacker still needs to communicate with a backdoor planted in
this host. Use a reverse shell and job done, you might say.
Actually, there is another way which I thought would be more
creative (IMHO).
It works like this: the backdoor enables logging in the host-level
firewall for all dropped packets, say Windows XP SP2 Firewall. Then
the backdoor receives commands from the attacker by interpreting
the properties of the dropped packets which were logged by the
firewall. In other words, the backdoor is constantly reading the
logs and parsing commands which were sent by the attacker embedded
in packets which are being dropped (but logged) by the firewall.
attacker sends packets -> packets are dropped by firewall ->
packets properties are captured in logs -> backdoor reads logs and
finds encoded commands -> commands are executed
Now, for the way the backdoor would reply back to the victim is
really up to you. One method that comes to my mind is by posting
the responses to a PHP script which is located in some free-hosting
webpage. The attacker would then access this webpage.
Please, if you know anything related to backdoors intercepting
commands from log files send me some links. Ideas, comments and
flames are more than welcome :-) .
Regards,
pagvac (Adrian Pastor)
Earth, SOLAR SYSTEM
www.adrianpv.com
www.ikwt.com (In Knowledge We Trust)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/