Presentation is loading. Please wait.

Presentation is loading. Please wait.

Covert Communications Simple Nomad DC214 - 11Feb2004.

Similar presentations


Presentation on theme: "Covert Communications Simple Nomad DC214 - 11Feb2004."— Presentation transcript:

1 Covert Communications Simple Nomad DC214 - 11Feb2004

2 Covert Communications What is it Why use it

3 Methods Hide data in normal transmission –Main disadvantage is it is obvious there is some communication between two parties Hide data as well as transmission –While you can forge IP addresses, this makes data retrieval very hard

4 Within Normal Transmission Email, Http –Steganography (Outguess, etc) for attachments, e.g. “My Vacation Pictures!” –Alternate usage of headers, e.g. Message- Id GPG doesn’t count –Obvious you are hiding something (unless that signature is not really a signature at all)

5 Within Hidden Transmission (sort of) Loki –Data hidden inside ICMP traffic, limited forging capabilities Stegtunnel –Data completely hidden in IP ID field –Packet forgery possible, but limited

6 Goals for Ncovert/Ncovert2 Project Defeat network forensics –Data is masked inside another form of communication –Anonymous sender and receiver Simple and clean install/compile (no extra libraries) Leverage existing technology

7 Ncovert – Overview Freeware No extra libraries required, uses standard C Uses Initial Sequence Number (ISN) as the data field Anonymous sending Can bypass most firewalls

8 Ncovert – How it works Sender sends SYN packet with data in ISN to public server, forges source IP as receiver’s IP Public server receives SYN, sends SYN/ACK to receiver’s machine Receiver’s machine sniffs packet and gets data, the OS sends a RST to public server Repeated until all data is sent

9 Ncovert – Pros and Cons Pro –Anonymous sending –If sniffing in path to forged source IP, anonymous receiving –“Bouncing” of data is possible –Careful planning can bypass most firewall rules Con –Slow, as reliable as UDP –Plaintext transmission, must encrypt data first (GPG, Ncrypt, etc) –File transfers only

10 Ncovert2 – Overview Freeware No extra libraries required, uses standard C Looks like ordinary port scan Anonymous sending, psuedo- anonymous receiving

11 Ncovert2 – How it works, pt.1 Sender and receiver agree on shared secret, turned into SHA-1 Sender generates random session key, and creates IP ID and source port from SHA-1 and session key Sender XORs file size and session key to create ISN First packet sent to port 80 with session key in IP ID and source port, file size in ISN

12 Ncovert2 – How it works, pt.2 Receiver sniffs for packet for destination address with destination port of 80 Receiver extracts session key from IP ID and source port using SHA-1 hash Receiver extracts file size from ISN using session key Sender and receiver generate session hash from session key and SHA-1 password hash, for creating predictable source ports

13 Ncovert2 – How it works, pt.3 Sender XORs data with previous ISN and session hash to create new ISN, creates a packet with a random IP ID, the “predictable” source port, and new ISN, and sends the packet Sender also sends decoy packets as well Destination ports on legit and decoy packets randomly use 1-65535, repeating as needed Receiver sniffs packets, ignores packets without “predictable” destination ports, uses previous ISN and session hash to extract data

14 Ncovert2 – How it works, pt.4 Packets sent until all data is transmitted Source address is only required on the first packet, so source addresses can be changed to something “random”, including decoy packets Transmission should look like a TCP ping to port 80 followed by a full port scan, with random source addresses

15 Ncovert2 – Pros Anonymous sending If sniffing in path to forged destination IP, anonymous receiving Multiple triggers means decoy packets can be sent Random source addresses after first packet

16 Ncovert2 - Cons File transfers only, and really good for only small files “Randomness” of ISNs and IP IDs in question File size can be brute forced, which could lead to session key recovery Known plaintext attack if file type is known Firewalls and NAT could break functionality if source port is rewritten

17 Q & A …and yes, they are watching…

18 Fin http://www.nmrc.org/~thegnome/ncovert-1.1.tgz http://www.nmrc.org/~thegnome/ncovert2-1.1.tgz http://www.nmrc.org/~thegnome/dc214-2004.ppt thegnome@nmrc.org


Download ppt "Covert Communications Simple Nomad DC214 - 11Feb2004."

Similar presentations


Ads by Google