Covert Communications - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

Covert Communications

Description:

While you can forge IP addresses, this makes data retrieval very hard ... Sender sends SYN packet with data in ISN to public server, forges source IP as receiver's IP ... – PowerPoint PPT presentation

Number of Views:103
Avg rating:3.0/5.0
Slides: 19
Provided by: nmrc8
Category:

less

Transcript and Presenter's Notes

Title: Covert Communications


1
Covert Communications
  • Simple Nomad
  • DC214 - 11Feb2004

2
Covert Communications
  • What is it
  • Why use it

3
Methods
  • Hide data in normal transmission
  • Main disadvantage is it is obvious there is some
    communication between two parties
  • Hide data as well as transmission
  • While you can forge IP addresses, this makes data
    retrieval very hard

4
Within Normal Transmission
  • Email, Http
  • Steganography (Outguess, etc) for attachments,
    e.g. My Vacation Pictures!
  • Alternate usage of headers, e.g. Message-Id
  • GPG doesnt count
  • Obvious you are hiding something (unless that
    signature is not really a signature at all)

5
Within Hidden Transmission (sort of)
  • Loki
  • Data hidden inside ICMP traffic, limited forging
    capabilities
  • Stegtunnel
  • Data completely hidden in IP ID field
  • Packet forgery possible, but limited

6
Goals for Ncovert/Ncovert2 Project
  • Defeat network forensics
  • Data is masked inside another form of
    communication
  • Anonymous sender and receiver
  • Simple and clean install/compile (no extra
    libraries)
  • Leverage existing technology

7
Ncovert Overview
  • Freeware
  • No extra libraries required, uses standard C
  • Uses Initial Sequence Number (ISN) as the data
    field
  • Anonymous sending
  • Can bypass most firewalls

8
Ncovert How it works
  • Sender sends SYN packet with data in ISN to
    public server, forges source IP as receivers IP
  • Public server receives SYN, sends SYN/ACK to
    receivers machine
  • Receivers machine sniffs packet and gets data,
    the OS sends a RST to public server
  • Repeated until all data is sent

9
Ncovert Pros and Cons
  • Pro
  • Anonymous sending
  • If sniffing in path to forged source IP,
    anonymous receiving
  • Bouncing of data is possible
  • Careful planning can bypass most firewall rules
  • Con
  • Slow, as reliable as UDP
  • Plaintext transmission, must encrypt data first
    (GPG, Ncrypt, etc)
  • File transfers only

10
Ncovert2 Overview
  • Freeware
  • No extra libraries required, uses standard C
  • Looks like ordinary port scan
  • Anonymous sending, psuedo-anonymous receiving

11
Ncovert2 How it works, pt.1
  • Sender and receiver agree on shared secret,
    turned into SHA-1
  • Sender generates random session key, and creates
    IP ID and source port from SHA-1 and session key
  • Sender XORs file size and session key to create
    ISN
  • First packet sent to port 80 with session key in
    IP ID and source port, file size in ISN

12
Ncovert2 How it works, pt.2
  • Receiver sniffs for packet for destination
    address with destination port of 80
  • Receiver extracts session key from IP ID and
    source port using SHA-1 hash
  • Receiver extracts file size from ISN using
    session key
  • Sender and receiver generate session hash from
    session key and SHA-1 password hash, for creating
    predictable source ports

13
Ncovert2 How it works, pt.3
  • Sender XORs data with previous ISN and session
    hash to create new ISN, creates a packet with a
    random IP ID, the predictable source port, and
    new ISN, and sends the packet
  • Sender also sends decoy packets as well
  • Destination ports on legit and decoy packets
    randomly use 1-65535, repeating as needed
  • Receiver sniffs packets, ignores packets without
    predictable destination ports, uses previous
    ISN and session hash to extract data

14
Ncovert2 How it works, pt.4
  • Packets sent until all data is transmitted
  • Source address is only required on the first
    packet, so source addresses can be changed to
    something random, including decoy packets
  • Transmission should look like a TCP ping to port
    80 followed by a full port scan, with random
    source addresses

15
Ncovert2 Pros
  • Anonymous sending
  • If sniffing in path to forged destination IP,
    anonymous receiving
  • Multiple triggers means decoy packets can be sent
  • Random source addresses after first packet

16
Ncovert2 - Cons
  • File transfers only, and really good for only
    small files
  • Randomness of ISNs and IP IDs in question
  • File size can be brute forced, which could lead
    to session key recovery
  • Known plaintext attack if file type is known
  • Firewalls and NAT could break functionality if
    source port is rewritten

17
Q A
  • and yes, they are watching

18
Fin
  • http//www.nmrc.org/thegnome/ncovert-1.1.tgz
  • http//www.nmrc.org/thegnome/ncovert2-1.1.tgz
  • http//www.nmrc.org/thegnome/dc214-2004.ppt
  • thegnome_at_nmrc.org
Write a Comment
User Comments (0)
About PowerShow.com