Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Interesting idea for a covert channel or I just didn't research enough?
From: Bernhard Mueller <research () sec-consult com>
Date: Thu, 06 Oct 2005 14:27:38 +0200

if you have system access, why not capture packets at kernel level,
BEFORE they reach the firewall. your approach seems to be very noisy ;)

PASTOR ADRIAN wrote:
Sometime ago I thought of the following idea for a covert channel.it would be better to intercept packets at kernel 
level BEFORE they 
Although the idea of covert channels is *not* new at all, I couldn't
find anything in Google related to the following method of implementing
a covert channel.
 
The scenario is the following. The victim is a host with a host-level
firewall which is blocking *all* incoming traffic. Somehow the attacker
still needs to communicate with a backdoor planted in this host. Use a
reverse shell and job done, you might say.
Actually, there is another way which I thought would be more creative
(IMHO).
 
It works like this: the backdoor enables logging in the host-level
firewall for all dropped packets, say Windows XP SP2 Firewall. Then the
backdoor receives commands from the attacker by interpreting the
properties of the dropped packets which were logged by the firewall. In
other words, the backdoor is constantly reading the logs and parsing
commands which were sent by the attacker embedded in packets which are
being dropped (but logged) by the firewall.

attacker sends packets -> packets are dropped by firewall -> packets
properties are captured in logs  -> backdoor reads logs and finds
encoded commands -> commands are executed

Now, for the way the backdoor would reply back to the victim is really
up to you. One method that comes to my mind is by posting the responses
to a PHP script which is located in some free-hosting webpage. The
attacker would then access this webpage.
 
Please, if you know anything related to backdoors intercepting commands
from log files send me some links. Ideas, comments and flames are more
than welcome :-) .

Regards,
pagvac (Adrian Pastor)
Earth, SOLAR SYSTEM
www.adrianpv.com <http://www.adrianpv.com>
www.ikwt.com <http://www.ikwt.com> (In Knowledge We Trust)


------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


-- 
_____________________________________________________

~  DI (FH) Bernhard Mueller
~  IT Security Consultant

~  SEC-Consult Unternehmensberatung GmbH
~  www.sec-consult.com

~  A-1080 Wien  Blindengasse 3
~  Tel:   +43/676/840301718
~  Fax:   +43/(0)1/4090307-590
______________________________________________________
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault