Covert Communications PowerPoint PPT Presentation

presentation player overlay
1 / 18
About This Presentation
Transcript and Presenter's Notes

Title: Covert Communications


1
Covert Communications
  • Simple Nomad
  • DC214 - 11Feb2004

2
Covert Communications
  • What is it
  • Why use it

3
Methods
  • Hide data in normal transmission
  • Main disadvantage is it is obvious there is some
    communication between two parties
  • Hide data as well as transmission
  • While you can forge IP addresses, this makes data
    retrieval very hard

4
Within Normal Transmission
  • Email, Http
  • Steganography (Outguess, etc) for attachments,
    e.g. My Vacation Pictures!
  • Alternate usage of headers, e.g. Message-Id
  • GPG doesnt count
  • Obvious you are hiding something (unless that
    signature is not really a signature at all)

5
Within Hidden Transmission (sort of)
  • Loki
  • Data hidden inside ICMP traffic, limited forging
    capabilities
  • Stegtunnel
  • Data completely hidden in IP ID field
  • Packet forgery possible, but limited

6
Goals for Ncovert/Ncovert2 Project
  • Defeat network forensics
  • Data is masked inside another form of
    communication
  • Anonymous sender and receiver
  • Simple and clean install/compile (no extra
    libraries)
  • Leverage existing technology

7
Ncovert Overview
  • Freeware
  • No extra libraries required, uses standard C
  • Uses Initial Sequence Number (ISN) as the data
    field
  • Anonymous sending
  • Can bypass most firewalls

8
Ncovert How it works
  • Sender sends SYN packet with data in ISN to
    public server, forges source IP as receivers IP
  • Public server receives SYN, sends SYN/ACK to
    receivers machine
  • Receivers machine sniffs packet and gets data,
    the OS sends a RST to public server
  • Repeated until all data is sent

9
Ncovert Pros and Cons
  • Pro
  • Anonymous sending
  • If sniffing in path to forged source IP,
    anonymous receiving
  • Bouncing of data is possible
  • Careful planning can bypass most firewall rules
  • Con
  • Slow, as reliable as UDP
  • Plaintext transmission, must encrypt data first
    (GPG, Ncrypt, etc)
  • File transfers only

10
Ncovert2 Overview
  • Freeware
  • No extra libraries required, uses standard C
  • Looks like ordinary port scan
  • Anonymous sending, psuedo-anonymous receiving

11
Ncovert2 How it works, pt.1
  • Sender and receiver agree on shared secret,
    turned into SHA-1
  • Sender generates random session key, and creates
    IP ID and source port from SHA-1 and session key
  • Sender XORs file size and session key to create
    ISN
  • First packet sent to port 80 with session key in
    IP ID and source port, file size in ISN

12
Ncovert2 How it works, pt.2
  • Receiver sniffs for packet for destination
    address with destination port of 80
  • Receiver extracts session key from IP ID and
    source port using SHA-1 hash
  • Receiver extracts file size from ISN using
    session key
  • Sender and receiver generate session hash from
    session key and SHA-1 password hash, for creating
    predictable source ports

13
Ncovert2 How it works, pt.3
  • Sender XORs data with previous ISN and session
    hash to create new ISN, creates a packet with a
    random IP ID, the predictable source port, and
    new ISN, and sends the packet
  • Sender also sends decoy packets as well
  • Destination ports on legit and decoy packets
    randomly use 1-65535, repeating as needed
  • Receiver sniffs packets, ignores packets without
    predictable destination ports, uses previous
    ISN and session hash to extract data

14
Ncovert2 How it works, pt.4
  • Packets sent until all data is transmitted
  • Source address is only required on the first
    packet, so source addresses can be changed to
    something random, including decoy packets
  • Transmission should look like a TCP ping to port
    80 followed by a full port scan, with random
    source addresses

15
Ncovert2 Pros
  • Anonymous sending
  • If sniffing in path to forged destination IP,
    anonymous receiving
  • Multiple triggers means decoy packets can be sent
  • Random source addresses after first packet

16
Ncovert2 - Cons
  • File transfers only, and really good for only
    small files
  • Randomness of ISNs and IP IDs in question
  • File size can be brute forced, which could lead
    to session key recovery
  • Known plaintext attack if file type is known
  • Firewalls and NAT could break functionality if
    source port is rewritten

17
Q A
  • and yes, they are watching

18
Fin
  • http//www.nmrc.org/thegnome/ncovert-1.1.tgz
  • http//www.nmrc.org/thegnome/ncovert2-1.1.tgz
  • http//www.nmrc.org/thegnome/dc214-2004.ppt
  • thegnome_at_nmrc.org
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Covert Communications" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!