1 network covert channels evgeny pinchuk ([email protected]) radware soc team
TRANSCRIPT
2
Agenda
• What are covert channels?
• Importance of network covert channels
• Techniques examples
• Available technology
• Counter measures
3
Introduction
• The need for secrecy• Encryption is good only for making data hard
to read rather than hiding it• We can hide information inside channels
which assumed as different data representation
• Covert channels allow us transporting unnoticed information which makes it hard to be detected by programmed tools.
4
Common Covert Channels
• Steganography– Pictures, Audio, Binary files
• Network– Various protocols (i.e. IP, TCP, DNS…)
• Text– Words, characters substitution
• File Systems– Hidden files, ADS
• Appending Data– EOF, Headers, Footers
5
Successful covert channels
• The packet which contains covert data should look like a regular packet
• Choosing the wrong fields in the packet will make traffic look anomalous
• Choosing a protocol which is common to the specific network environment will aid to covertness of the information
• Bounced traffic will make harder tracing you back
6
IP Header
Version
Hdr length TOS Total Packet Length
Identification Flags Fragment offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
/ Options /
7
Suitable fields in IP Header
• Identification field (Can be changed on some firewalls)
• Source address (if the data will flow only one way)
• IP options (in certain environments)
PoC:http://invisiblethings.org/tools/passivecc_ipid.cBy Joanna Rutkowska
8
TCP Header
Source Port Destination Port
Sequence Number
Acknowledgement Number
Offset C E U A P R S FReserved Window
Checksum Urgent Pointer
/ Options /
9
Bounced Sequence
Message ‘Hello\n’: A -> B
‘H’ 0x48 * 255 = 0x47B8
‘e’ 0x65 * 255 = 0x649B
‘l’ 0x6C * 255 = 0x6B94
‘l’ 0x6C * 255 = 0x6B94
‘o’ 0x6F * 255 = 0x6E91
‘\n’ 0x0A * 255 = 0x09F6
We got the following sequences:
Sequence 1: 0x47B8649B
Sequence 2: 0x6B946B94
Sequence 3: 0x6E9109F6
Host A: 1.1.1.1
Host B: 2.2.2.2
Bounce Servers:
1. 3.3.3.3
2. 4.4.4.4
3. 5.5.5.5
10
Bounced Sequence
Host A sends SYN packet to 3.3.3.3:
Sequence number - 0x47B8649B
Acknowledge number
Source address – 2.2.2.2
Host B receives SYN+ACK packet from 3.3.3.3:
Sequence number – X
Acknowledge number – 0x47B8649C
Destination address – 2.2.2.2
11
Bounced Sequence - Results
• We succeed receiving the encoded sequence number + 1 through 3rd party server
• On the 3rd party server our request looks like a legitimate connection request
• If someone will try to analyze traffic on Host B, he’ll see low bandwidth reflection denial of service attack
12
Direct transition through TCP Header
Good covert places:
• Window field
• Sequence numbers
• Acknowledge numbers
• Source/Destination ports
• Urgent pointer (looks anomalous though!)
• TCP Options (i.e. time stamps)
14
UDP Header advantages
Advantages:
• Connectionless
• 3 out of 4 fields are suitable for covert channels
• Can be bounced
Disadvantages:
• Unreliable!!!
15
Bounced UDP message
Message ‘Hello\n’: A -> B
‘H’ 0x48 * 255 = 0x47B8
‘e’ 0x65 * 255 = 0x649B
‘l’ 0x6C * 255 = 0x6B94
‘l’ 0x6C * 255 = 0x6B94
‘o’ 0x6F * 255 = 0x6E91
‘\n’ 0x0A * 255 = 0x09F6
Host A: 1.1.1.1
Host B: 2.2.2.2
Bounce Servers:
1. 3.3.3.3
2. 4.4.4.4
3. 5.5.5.5
16
Bounced UDP message
Host A send UDP packet to some port on 3.3.3.3:
Source address - 2.2.2.2 (Host B)
Source port - 0x47B8
Checksum - 0x649B
Host B receives ICMP Port Unreachable message from host 3.3.3.3 with the original UDP packet in which source port and checksum contain our covert data.
17
Bounced UDP message - Results
• We succeed in receiving the data we encoded through a different protocol!!!
• We two fields to hide our data (we could use more but it would look anomalous)
• We successfully bounced through a 3rd party server
18
ICMP Header
Type Checksum
Reserved for different protocols
Code
• There isn’t much you could do with ICMP header fields.
• People prefer to use the fields of different ICMP messages types
19
Application Layer
• We cannot do bounced covert channel on TCP protocol due to the demand of 3-way handshake
• For bounced covert channels we can only use UDP protocol
• Not all the software providers follow are RFC compliant; hence some of the applications are unreliable for covert channels
• Numerous protocols available
• Most popular layer for covert channels today
20
Bouncing through SIP
We are sending UDP message with spoofed source IP address to some SIP server:
INVITE sip:[email protected] SIP/2.0 Via: SIP/2.0/UDP 2.2.2.2:666;branch=z9hG4bK776asdhds Max-Forwards: 70 To: Bob <sip:[email protected]> From: Alice <sip:[email protected]>;tag=1928301774 Call-ID: [email protected] CSeq: 314159 INVITE Contact: <sip:[email protected]> Content-Type: application/sdp Content-Length: 142
The reply will be directed to Host B
With the sequence number we encoded
21
Available Technology for Application Layer
• CCTT by Gray World - http://www.gray-world.net/pr_cctt.shtml
• MSNShell by Wei Zheng - http://wei-zheng.3322.org/msnshell/
• IP-over-DNS - http://nstx.dereference.de/
22
Counter measures
• Header fields re-writing (where it’s possible)
• Protocol anomaly detection
• Understanding how covert channels work
• Analyzing the randomness of numbers in header fields
25
References
• Covert Channels in the TCP/IP Protocol Suite by Craig H. Rowland - http://www.firstmonday.dk/issues/issue2_5/rowland/
• Covert Channels – Towards a Qual Project by Rachel Greenstadt - http://www.eecs.harvard.edu/~greenie/ccslides.pdf
• Cover Channels Analysis and Data Hiding in TCP/IP by Kamran Ahsan - http://ee.tamu.edu/~deepa/theses/ahsan02.pdf