lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu Oct 6 13:39:00 2005 From: research at sec-consult.com (Bernhard Mueller) Subject: Interesting idea for a covert channel or I just didn't research enough? if you have system access, why not capture packets at kernel level, BEFORE they reach the firewall. your approach seems to be very noisy ;) PASTOR ADRIAN wrote: > Sometime ago I thought of the following idea for a covert channel.it would be better to intercept packets at kernel level BEFORE they > Although the idea of covert channels is *not* new at all, I couldn't > find anything in Google related to the following method of implementing > a covert channel. > > The scenario is the following. The victim is a host with a host-level > firewall which is blocking *all* incoming traffic. Somehow the attacker > still needs to communicate with a backdoor planted in this host. Use a > reverse shell and job done, you might say. > Actually, there is another way which I thought would be more creative > (IMHO). > > It works like this: the backdoor enables logging in the host-level > firewall for all dropped packets, say Windows XP SP2 Firewall. Then the > backdoor receives commands from the attacker by interpreting the > properties of the dropped packets which were logged by the firewall. In > other words, the backdoor is constantly reading the logs and parsing > commands which were sent by the attacker embedded in packets which are > being dropped (but logged) by the firewall. > > attacker sends packets -> packets are dropped by firewall -> packets > properties are captured in logs -> backdoor reads logs and finds > encoded commands -> commands are executed > > Now, for the way the backdoor would reply back to the victim is really > up to you. One method that comes to my mind is by posting the responses > to a PHP script which is located in some free-hosting webpage. The > attacker would then access this webpage. > > Please, if you know anything related to backdoors intercepting commands > from log files send me some links. Ideas, comments and flames are more > than welcome :-) . > > Regards, > pagvac (Adrian Pastor) > Earth, SOLAR SYSTEM > www.adrianpv.com <http://www.adrianpv.com> > www.ikwt.com <http://www.ikwt.com> (In Knowledge We Trust) > > > ------------------------------------------------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- _____________________________________________________ ~ DI (FH) Bernhard Mueller ~ IT Security Consultant ~ SEC-Consult Unternehmensberatung GmbH ~ www.sec-consult.com ~ A-1080 Wien Blindengasse 3 ~ Tel: +43/676/840301718 ~ Fax: +43/(0)1/4090307-590 ______________________________________________________
Powered by blists - more mailing lists