CS38, Security and Privacy, Spring 2005

Creative use of ICMP, TCP and DNS/UDP protocols for communicating in a restricted environment. These tools are well-known, so such communication channels are pretty much "overt" by now.

  • Covert channels in the TCP/IP protocol suite, Craig Rowland
    http://www.firstmonday.org/issues/issue2_5/rowland/
    An overview of basic TCP/IP information hiding. Not very deep, but gives the general idea. Stegtunnel below implements a combination of described methods.

  • Project Loki,
    http://www.phrack.org/show.php?p=51&a=6
    See also http://www.phrack.org/show.php?p=49&a=6, the original proposal. Besides being an interesting network hack, Loki uses non-trivial cryptography. This is an old project, may be hard to set up.

  • Ping tunnel , Daniel Stødle
    http://www.cs.uit.no/~daniels/PingTunnel/  [local PingTunnel-0.60.tar.gz]
    A more modern ICMP tunnel, with nice explanation of underlying networking principles.

  • Black Ops of DNS, Dan Kaminsky
    http://www.doxpara.com/dns_bh/Black_Ops_DNS_BH_files/v3_document.htm
    Dan Kaminsky is a popular speaker at Defcon (you have to stand in line for his talk). This presentation was about using a DNS server for trasmitting streams of data (including audio). Since most firewalls permit outgoing DNS, attackers have been actively using it in the wild as a covert control channel.

  • Stegtunnel, SYN ACK Labs
    http://www.synacklabs.net/projects/stegtunnel/  [local http://www.synacklabs.net/projects/stegtunnel/stegtunnel-0.4.tar.gz]
    Stegtunnel hides information in crafted IP ID field of the IP packets headers, and in TCP ack number fields. Demonstrates the use of the libdnet packet crafting library.

    Back to Dartmouth CS Home Page     Sergey Bratus