Covert Communications

1
Covert Communications

• Simple Nomad
• DC214 - 11Feb2004

2
Covert Communications

• What is it
• Why use it

3
Methods

• Hide data in normal transmission
• Main disadvantage is it is obvious there is some
  communication between two parties
• Hide data as well as transmission
• While you can forge IP addresses, this makes data
  retrieval very hard

4
Within Normal Transmission

• Email, Http
• Steganography (Outguess, etc) for attachments,
  e.g. My Vacation Pictures!
• Alternate usage of headers, e.g. Message-Id
• GPG doesnt count
• Obvious you are hiding something (unless that
  signature is not really a signature at all)

5
Within Hidden Transmission (sort of)

• Loki
• Data hidden inside ICMP traffic, limited forging
  capabilities
• Stegtunnel
• Data completely hidden in IP ID field
• Packet forgery possible, but limited

6
Goals for Ncovert/Ncovert2 Project

• Defeat network forensics
• Data is masked inside another form of
  communication
• Anonymous sender and receiver
• Simple and clean install/compile (no extra
  libraries)
• Leverage existing technology

7
Ncovert Overview

• Freeware
• No extra libraries required, uses standard C
• Uses Initial Sequence Number (ISN) as the data
  field
• Anonymous sending
• Can bypass most firewalls

8
Ncovert How it works

• Sender sends SYN packet with data in ISN to
  public server, forges source IP as receivers IP
• Public server receives SYN, sends SYN/ACK to
  receivers machine
• Receivers machine sniffs packet and gets data,
  the OS sends a RST to public server
• Repeated until all data is sent

9
Ncovert Pros and Cons

• Pro
• Anonymous sending
• If sniffing in path to forged source IP,
  anonymous receiving
• Bouncing of data is possible
• Careful planning can bypass most firewall rules
• Con
• Slow, as reliable as UDP
• Plaintext transmission, must encrypt data first
  (GPG, Ncrypt, etc)
• File transfers only

10
Ncovert2 Overview

• Freeware
• No extra libraries required, uses standard C
• Looks like ordinary port scan
• Anonymous sending, psuedo-anonymous receiving

11
Ncovert2 How it works, pt.1

• Sender and receiver agree on shared secret,
  turned into SHA-1
• Sender generates random session key, and creates
  IP ID and source port from SHA-1 and session key
• Sender XORs file size and session key to create
  ISN
• First packet sent to port 80 with session key in
  IP ID and source port, file size in ISN

12
Ncovert2 How it works, pt.2

• Receiver sniffs for packet for destination
  address with destination port of 80
• Receiver extracts session key from IP ID and
  source port using SHA-1 hash
• Receiver extracts file size from ISN using
  session key
• Sender and receiver generate session hash from
  session key and SHA-1 password hash, for creating
  predictable source ports

13
Ncovert2 How it works, pt.3

• Sender XORs data with previous ISN and session
  hash to create new ISN, creates a packet with a
  random IP ID, the predictable source port, and
  new ISN, and sends the packet
• Sender also sends decoy packets as well
• Destination ports on legit and decoy packets
  randomly use 1-65535, repeating as needed
• Receiver sniffs packets, ignores packets without
  predictable destination ports, uses previous
  ISN and session hash to extract data

14
Ncovert2 How it works, pt.4

• Packets sent until all data is transmitted
• Source address is only required on the first
  packet, so source addresses can be changed to
  something random, including decoy packets
• Transmission should look like a TCP ping to port
  80 followed by a full port scan, with random
  source addresses

15
Ncovert2 Pros

• Anonymous sending
• If sniffing in path to forged destination IP,
  anonymous receiving
• Multiple triggers means decoy packets can be sent
• Random source addresses after first packet

16
Ncovert2 - Cons

• File transfers only, and really good for only
  small files
• Randomness of ISNs and IP IDs in question
• File size can be brute forced, which could lead
  to session key recovery
• Known plaintext attack if file type is known
• Firewalls and NAT could break functionality if
  source port is rewritten

17
Q A

• and yes, they are watching

18
Fin

• http//www.nmrc.org/thegnome/ncovert-1.1.tgz
• http//www.nmrc.org/thegnome/ncovert2-1.1.tgz
• http//www.nmrc.org/thegnome/dc214-2004.ppt
• thegnome_at_nmrc.org