Presentation is loading. Please wait.

Presentation is loading. Please wait.

Covert Communications Simple Nomad DC214 - 11Feb2004.

Published byGeorgina Tate Modified over 9 years ago

Similar presentations

Presentation on theme: "Covert Communications Simple Nomad DC214 - 11Feb2004."— Presentation transcript:

1 Covert Communications Simple Nomad DC214 - 11Feb2004

2 Covert Communications What is it Why use it

3 Methods Hide data in normal transmission –Main disadvantage is it is obvious there is some communication between two parties Hide data as well as transmission –While you can forge IP addresses, this makes data retrieval very hard

4 Within Normal Transmission Email, Http –Steganography (Outguess, etc) for attachments, e.g. “My Vacation Pictures!” –Alternate usage of headers, e.g. Message- Id GPG doesn’t count –Obvious you are hiding something (unless that signature is not really a signature at all)

5 Within Hidden Transmission (sort of) Loki –Data hidden inside ICMP traffic, limited forging capabilities Stegtunnel –Data completely hidden in IP ID field –Packet forgery possible, but limited

6 Goals for Ncovert/Ncovert2 Project Defeat network forensics –Data is masked inside another form of communication –Anonymous sender and receiver Simple and clean install/compile (no extra libraries) Leverage existing technology

7 Ncovert – Overview Freeware No extra libraries required, uses standard C Uses Initial Sequence Number (ISN) as the data field Anonymous sending Can bypass most firewalls

8 Ncovert – How it works Sender sends SYN packet with data in ISN to public server, forges source IP as receiver’s IP Public server receives SYN, sends SYN/ACK to receiver’s machine Receiver’s machine sniffs packet and gets data, the OS sends a RST to public server Repeated until all data is sent

9 Ncovert – Pros and Cons Pro –Anonymous sending –If sniffing in path to forged source IP, anonymous receiving –“Bouncing” of data is possible –Careful planning can bypass most firewall rules Con –Slow, as reliable as UDP –Plaintext transmission, must encrypt data first (GPG, Ncrypt, etc) –File transfers only

10 Ncovert2 – Overview Freeware No extra libraries required, uses standard C Looks like ordinary port scan Anonymous sending, psuedo- anonymous receiving

11 Ncovert2 – How it works, pt.1 Sender and receiver agree on shared secret, turned into SHA-1 Sender generates random session key, and creates IP ID and source port from SHA-1 and session key Sender XORs file size and session key to create ISN First packet sent to port 80 with session key in IP ID and source port, file size in ISN

12 Ncovert2 – How it works, pt.2 Receiver sniffs for packet for destination address with destination port of 80 Receiver extracts session key from IP ID and source port using SHA-1 hash Receiver extracts file size from ISN using session key Sender and receiver generate session hash from session key and SHA-1 password hash, for creating predictable source ports

13 Ncovert2 – How it works, pt.3 Sender XORs data with previous ISN and session hash to create new ISN, creates a packet with a random IP ID, the “predictable” source port, and new ISN, and sends the packet Sender also sends decoy packets as well Destination ports on legit and decoy packets randomly use 1-65535, repeating as needed Receiver sniffs packets, ignores packets without “predictable” destination ports, uses previous ISN and session hash to extract data

14 Ncovert2 – How it works, pt.4 Packets sent until all data is transmitted Source address is only required on the first packet, so source addresses can be changed to something “random”, including decoy packets Transmission should look like a TCP ping to port 80 followed by a full port scan, with random source addresses

15 Ncovert2 – Pros Anonymous sending If sniffing in path to forged destination IP, anonymous receiving Multiple triggers means decoy packets can be sent Random source addresses after first packet

16 Ncovert2 - Cons File transfers only, and really good for only small files “Randomness” of ISNs and IP IDs in question File size can be brute forced, which could lead to session key recovery Known plaintext attack if file type is known Firewalls and NAT could break functionality if source port is rewritten

17 Q & A …and yes, they are watching…

18 Fin http://www.nmrc.org/~thegnome/ncovert-1.1.tgz http://www.nmrc.org/~thegnome/ncovert2-1.1.tgz http://www.nmrc.org/~thegnome/dc214-2004.ppt thegnome@nmrc.org

Download ppt "Covert Communications Simple Nomad DC214 - 11Feb2004."

Similar presentations

Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView.

Covering Your Tracks: Ncrypt and Ncovert Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView Simple Nomad Hacker – NMRC Sr. Security Analyst - BindView.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
CPS 290 Computer Security Network Tools Cryptography Basics CPS 290Page 1.

CPS 290 Computer Security Network Tools Cryptography Basics CPS 290Page 1.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
Transmission Control Protocol (TCP)

Transmission Control Protocol (TCP)
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
TRANSPORT LAYER  Session multiplexing  Segmentation  Flow control (TCP)  Connection-oriented (TCP)  Reliability (TCP)

TRANSPORT LAYER  Session multiplexing  Segmentation  Flow control (TCP)  Connection-oriented (TCP)  Reliability (TCP)
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
1 Comnet 2010 Communication Networks Recitation 11 Security.

1 Comnet 2010 Communication Networks Recitation 11 Security.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Internet Technology: A Sampler Ramesh Johari Massachusetts Institute of Technology

Internet Technology: A Sampler Ramesh Johari Massachusetts Institute of Technology
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Port Scanning.

Port Scanning.

Similar presentations

Ads by Google