lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu Oct  6 13:39:00 2005
From: research at sec-consult.com (Bernhard Mueller)
Subject: Interesting idea for a covert channel or I
	just	didn't research enough?

if you have system access, why not capture packets at kernel level,
BEFORE they reach the firewall. your approach seems to be very noisy ;)

PASTOR ADRIAN wrote:
> Sometime ago I thought of the following idea for a covert channel.it would be better to intercept packets at kernel level BEFORE they 
> Although the idea of covert channels is *not* new at all, I couldn't
> find anything in Google related to the following method of implementing
> a covert channel.
>  
> The scenario is the following. The victim is a host with a host-level
> firewall which is blocking *all* incoming traffic. Somehow the attacker
> still needs to communicate with a backdoor planted in this host. Use a
> reverse shell and job done, you might say.
> Actually, there is another way which I thought would be more creative
> (IMHO).
>  
> It works like this: the backdoor enables logging in the host-level
> firewall for all dropped packets, say Windows XP SP2 Firewall. Then the
> backdoor receives commands from the attacker by interpreting the
> properties of the dropped packets which were logged by the firewall. In
> other words, the backdoor is constantly reading the logs and parsing
> commands which were sent by the attacker embedded in packets which are
> being dropped (but logged) by the firewall.
> 
> attacker sends packets -> packets are dropped by firewall -> packets
> properties are captured in logs  -> backdoor reads logs and finds
> encoded commands -> commands are executed
> 
> Now, for the way the backdoor would reply back to the victim is really
> up to you. One method that comes to my mind is by posting the responses
> to a PHP script which is located in some free-hosting webpage. The
> attacker would then access this webpage.
>  
> Please, if you know anything related to backdoors intercepting commands
> from log files send me some links. Ideas, comments and flames are more
> than welcome :-) .
> 
> Regards,
> pagvac (Adrian Pastor)
> Earth, SOLAR SYSTEM
> www.adrianpv.com <http://www.adrianpv.com>
> www.ikwt.com <http://www.ikwt.com> (In Knowledge We Trust)
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


-- 
_____________________________________________________

~  DI (FH) Bernhard Mueller
~  IT Security Consultant

~  SEC-Consult Unternehmensberatung GmbH
~  www.sec-consult.com

~  A-1080 Wien  Blindengasse 3
~  Tel:   +43/676/840301718
~  Fax:   +43/(0)1/4090307-590
______________________________________________________

Powered by blists - more mailing lists