Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Interesting idea for a covert channel or I just didn't research enough?
From: Kevin Wilcox <kevin () tux appstate edu>
Date: Thu, 06 Oct 2005 10:23:11 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Holstein wrote:
attacker sends packets -> packets are dropped by firewall -> packets
properties are captured in logs  -> backdoor reads logs and finds
encoded commands -> commands are executed


As a covert channel? .. no, it's a waste. Once you have the access to
set that up, you could establish any number of more efficient schemes.

As a way to do a "remote wake-up" though .. it might have some promise
.. but it still depends on too many other variables.

SAdoor uses this general idea.

device in promiscuous mode sits and listens, iptables can have all ports
filtered and no services running on the machine, a particular sequence
of events happens, a command gets executed.

http://cmn.listprojects.darklab.org/

kw
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFDRTNN7XWNuvsOTiYRAqr5AKDQmgqdbBHSJrc2fuOzwx4SjekKlQCg3gFR
JYDJjZo37FNF1XNjaejqamc=
=8SzG
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]