September 28, 2003

Creating Covert Network Comms

If you have even attended any lectures I have given on the powers of covert communications on networks, you might have heard me talk about my dynamic door opener I wrote to allow me to open a "window" of time on a server's firewall to allow me to connect from unknown foreign hosts that may not be trusted.

It works quite well, and I have used it for years on different machines around the world. Basically I can send a sequence of specially crafted ICMP messages (thank heavens for switches on ping like -p) to a network segment, and my back door will see it and create an ipchains/ipfw firewall rule to allow that host to connect and authenticate with SSH for 30 seconds. Once the 30 seconds are up, the firewall patches itself and the existing SSH tunnel will stay active, with me connected. (Assuming the firewall will still allow existing ports to stay open after the reset)

Well, it took some time to write that way back when in C (we are talking years ago when ipfwadm was just reaching its peek), and I must admit it was/is a bitch to maintain as firewalls become more complex. Quite frankly I haven't looked at the code in some times, and never ported it to Linux's iptables. Well, I found an interesting set of articles that have a different approach using fake DNS lookups.

Hacking Linux Exposed has released a three part series (well actually its 5 parts, but only three are useful to you) discussing how to use Net:Pcap to sniff for certain packets, run a program based on those packets and then send commands to that program. And it is even updated to use iptables! You can read each part of the series to understand what I am talking about:

  1. Part 1 - Sniffing with Net::Pcap
  2. Part 2 - Running programs in response to sniffed packets
  3. Part 3 - Running custom queries

It's a good read, and includes some perl scripts to make your life easy. If you feel you want to build covert channels to your machines, this may be the article you need. You could even use these articles as a base to create remote execution code sequences (like sending a crafted packet to start an automated penetration test from the server to the network you might currently be on) or extend it to do evil like DDoS attacks based on incoming packet sequence. YMMV. Use it responsibly please!

Have fun!

Posted by SilverStr at September 28, 2003 12:32 AM