bit noisy i think -----Original Message----- From: "PASTOR ADRIAN" <[EMAIL PROTECTED]> To: <[email protected]> Date: Thu, 6 Oct 2005 10:06:24 +0100 Subject: [Full-disclosure] Interesting idea for a covert channel or I justdidn't research enough?
> Sometime ago I thought of the following idea for a covert channel. Although > the idea of covert channels is *not* new at all, I couldn't find anything in > Google related to the following method of implementing a covert channel. > > The scenario is the following. The victim is a host with a host-level > firewall which is blocking *all* incoming traffic. Somehow the attacker still > needs to communicate with a backdoor planted in this host. Use a reverse > shell and job done, you might say. > > Actually, there is another way which I thought would be more creative (IMHO). > > It works like this: the backdoor enables logging in the host-level firewall > for all dropped packets, say Windows XP SP2 Firewall. Then the backdoor > receives commands from the attacker by interpreting the properties of the > dropped packets which were logged by the firewall. In other words, the > backdoor is constantly reading the logs and parsing commands which were sent > by the attacker embedded in packets which are being dropped (but logged) by > the firewall. > > attacker sends packets -> packets are dropped by firewall -> packets > properties are captured in logs -> backdoor reads logs and finds encoded > commands -> commands are executed > > Now, for the way the backdoor would reply back to the victim is really up to > you. One method that comes to my mind is by posting the responses to a PHP > script which is located in some free-hosting webpage. The attacker would then > access this webpage. > > Please, if you know anything related to backdoors intercepting commands from > log files send me some links. Ideas, comments and flames are more than > welcome :-) . > > Regards, > pagvac (Adrian Pastor) > Earth, SOLAR SYSTEM > www.adrianpv.com > www.ikwt.com (In Knowledge We Trust) > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
