260 likes | 268 Vues
Network Covert Channels. Evgeny Pinchuk (evgenyp@radware.com) Radware SOC Team. Agenda. What are covert channels? Importance of network covert channels Techniques examples Available technology Counter measures. Introduction. The need for secrecy
E N D
Network Covert Channels Evgeny Pinchuk (evgenyp@radware.com) Radware SOC Team
Agenda • What are covert channels? • Importance of network covert channels • Techniques examples • Available technology • Counter measures
Introduction • The need for secrecy • Encryption is good only for making data hard to read rather than hiding it • We can hide information inside channels which assumed as different data representation • Covert channels allow us transporting unnoticed information which makes it hard to be detected by programmed tools.
Common Covert Channels • Steganography • Pictures, Audio, Binary files • Network • Various protocols (i.e. IP, TCP, DNS…) • Text • Words, characters substitution • File Systems • Hidden files, ADS • Appending Data • EOF, Headers, Footers
Successful covert channels • The packet which contains covert data should look like a regular packet • Choosing the wrong fields in the packet will make traffic look anomalous • Choosing a protocol which is common to the specific network environment will aid to covertness of the information • Bounced traffic will make harder tracing you back
Suitable fields in IP Header • Identification field (Can be changed on some firewalls) • Source address (if the data will flow only one way) • IP options (in certain environments) PoC: http://invisiblethings.org/tools/passivecc_ipid.c By Joanna Rutkowska
Bounced Sequence Message ‘Hello\n’: A -> B ‘H’ 0x48 * 255 = 0x47B8 ‘e’ 0x65 * 255 = 0x649B ‘l’ 0x6C * 255 = 0x6B94 ‘l’ 0x6C * 255 = 0x6B94 ‘o’ 0x6F * 255 = 0x6E91 ‘\n’ 0x0A * 255 = 0x09F6 We got the following sequences: Sequence 1: 0x47B8649B Sequence 2: 0x6B946B94 Sequence 3: 0x6E9109F6 • Host A: 1.1.1.1 • Host B: 2.2.2.2 • Bounce Servers: • 3.3.3.3 • 4.4.4.4 • 5.5.5.5
Bounced Sequence Host A sends SYN packet to 3.3.3.3: Sequence number - 0x47B8649B Acknowledge number Source address – 2.2.2.2 Host B receives SYN+ACK packet from 3.3.3.3: Sequence number – X Acknowledge number – 0x47B8649C Destination address – 2.2.2.2
Bounced Sequence - Results • We succeed receiving the encoded sequence number + 1 through 3rd party server • On the 3rd party server our request looks like a legitimate connection request • If someone will try to analyze traffic on Host B, he’ll see low bandwidth reflection denial of service attack
Direct transition through TCP Header Good covert places: • Window field • Sequence numbers • Acknowledge numbers • Source/Destination ports • Urgent pointer (looks anomalous though!) • TCP Options (i.e. time stamps)
UDP Header advantages Advantages: • Connectionless • 3 out of 4 fields are suitable for covert channels • Can be bounced Disadvantages: • Unreliable!!!
Bounced UDP message Message ‘Hello\n’: A -> B ‘H’ 0x48 * 255 = 0x47B8 ‘e’ 0x65 * 255 = 0x649B ‘l’ 0x6C * 255 = 0x6B94 ‘l’ 0x6C * 255 = 0x6B94 ‘o’ 0x6F * 255 = 0x6E91 ‘\n’ 0x0A * 255 = 0x09F6 • Host A: 1.1.1.1 • Host B: 2.2.2.2 • Bounce Servers: • 3.3.3.3 • 4.4.4.4 • 5.5.5.5
Bounced UDP message Host A send UDP packet to some port on 3.3.3.3: Source address - 2.2.2.2 (Host B) Source port - 0x47B8 Checksum - 0x649B Host B receives ICMP Port Unreachable message from host 3.3.3.3 with the original UDP packet in which source port and checksum contain our covert data.
Bounced UDP message - Results • We succeed in receiving the data we encoded through a different protocol!!! • We two fields to hide our data (we could use more but it would look anomalous) • We successfully bounced through a 3rd party server
ICMP Header • There isn’t much you could do with ICMP header fields. • People prefer to use the fields of different ICMP messages types
Application Layer • We cannot do bounced covert channel on TCP protocol due to the demand of 3-way handshake • For bounced covert channels we can only use UDP protocol • Not all the software providers follow are RFC compliant; hence some of the applications are unreliable for covert channels • Numerous protocols available • Most popular layer for covert channels today
Bouncing through SIP We are sending UDP message with spoofed source IP address to some SIP server: INVITE sip:bob@3rdparty-server.com SIP/2.0 Via: SIP/2.0/UDP 2.2.2.2:666;branch=z9hG4bK776asdhds Max-Forwards: 70 To: Bob <sip:bob@3rdparty-server.com> From: Alice <sip:alice@host-b.com>;tag=1928301774 Call-ID: a84b4c76e66710@host-b.com CSeq: 314159 INVITE Contact: <sip:alice@host-b.com> Content-Type: application/sdp Content-Length: 142 The reply will be directed to Host B With the sequence number we encoded
Available Technology for Application Layer • CCTT by Gray World - http://www.gray-world.net/pr_cctt.shtml • MSNShell by Wei Zheng - http://wei-zheng.3322.org/msnshell/ • IP-over-DNS - http://nstx.dereference.de/
Counter measures • Header fields re-writing (where it’s possible) • Protocol anomaly detection • Understanding how covert channels work • Analyzing the randomness of numbers in header fields
The End Questions?
Contact Information Evgeny Pinchuk Email: evgenyp@radware.com
References • Covert Channels in the TCP/IP Protocol Suite by Craig H. Rowland - http://www.firstmonday.dk/issues/issue2_5/rowland/ • Covert Channels – Towards a Qual Project by Rachel Greenstadt - http://www.eecs.harvard.edu/~greenie/ccslides.pdf • Cover Channels Analysis and Data Hiding in TCP/IP by Kamran Ahsan - http://ee.tamu.edu/~deepa/theses/ahsan02.pdf