1 Network Covert Channels Evgeny Pinchuk Radware SOC Team
2 Agenda What are covert channels? Importance of network covert channels Techniques examples Available technology Counter measures
3 Introduction The need for secrecy Encryption is good only for making data hard to read rather than hiding it We can hide information inside channels which assumed as different data representation Covert channels allow us transporting unnoticed information which makes it hard to be detected by programmed tools.
4 Common Covert Channels Steganography –Pictures, Audio, Binary files Network –Various protocols (i.e. IP, TCP, DNS…) Text –Words, characters substitution File Systems –Hidden files, ADS Appending Data –EOF, Headers, Footers
5 Successful covert channels The packet which contains covert data should look like a regular packet Choosing the wrong fields in the packet will make traffic look anomalous Choosing a protocol which is common to the specific network environment will aid to covertness of the information Bounced traffic will make harder tracing you back
6 IP Header
7 Suitable fields in IP Header Identification field (Can be changed on some firewalls) Source address (if the data will flow only one way) IP options (in certain environments) PoC: By Joanna Rutkowska
10 Bounced Sequence Host A sends SYN packet to : Sequence number - 0x47B8649B Acknowledge number Source address – Host B receives SYN+ACK packet from : Sequence number – X Acknowledge number – 0x47B8649C Destination address –
11 Bounced Sequence - Results We succeed receiving the encoded sequence number + 1 through 3 rd party server On the 3 rd party server our request looks like a legitimate connection request If someone will try to analyze traffic on Host B, he’ll see low bandwidth reflection denial of service attack
12 Direct transition through TCP Header Good covert places: Window field Sequence numbers Acknowledge numbers Source/Destination ports Urgent pointer (looks anomalous though!) TCP Options (i.e. time stamps)
13 UDP Header
14 UDP Header advantages Advantages: Connectionless 3 out of 4 fields are suitable for covert channels Can be bounced Disadvantages: Unreliable!!!
16 Bounced UDP message Host A send UDP packet to some port on : Source address (Host B) Source port - 0x47B8 Checksum - 0x649B Host B receives ICMP Port Unreachable message from host with the original UDP packet in which source port and checksum contain our covert data.
17 Bounced UDP message - Results We succeed in receiving the data we encoded through a different protocol!!! We two fields to hide our data (we could use more but it would look anomalous) We successfully bounced through a 3 rd party server
18 ICMP Header There isn’t much you could do with ICMP header fields. People prefer to use the fields of different ICMP messages types
19 Application Layer We cannot do bounced covert channel on TCP protocol due to the demand of 3-way handshake For bounced covert channels we can only use UDP protocol Not all the software providers follow are RFC compliant; hence some of the applications are unreliable for covert channels Numerous protocols available Most popular layer for covert channels today
20 Bouncing through SIP We are sending UDP message with spoofed source IP address to some SIP server: INVITE SIP/2.0 Via: SIP/2.0/UDP :666;branch=z9hG4bK776asdhds Max-Forwards: 70 To: Bob From: Alice ;tag= Call-ID: CSeq: INVITE Contact: Content-Type: application/sdp Content-Length: 142 The reply will be directed to Host B With the sequence number we encoded
21 Available Technology for Application Layer CCTT by Gray World - world.net/pr_cctt.shtmlhttp://www.gray- world.net/pr_cctt.shtml MSNShell by Wei Zheng - zheng.3322.org/msnshell/http://wei- zheng.3322.org/msnshell/ IP-over-DNS -
22 Counter measures Header fields re-writing (where it’s possible) Protocol anomaly detection Understanding how covert channels work Analyzing the randomness of numbers in header fields
23 The End Questions?
24 Contact Information Evgeny Pinchuk
25 References Covert Channels in the TCP/IP Protocol Suite by Craig H. Rowland - Covert Channels – Towards a Qual Project by Rachel Greenstadt - Cover Channels Analysis and Data Hiding in TCP/IP by Kamran Ahsan -