Information Technology Reference
In-Depth Information
data by listening to port 80 with a daemon that can distinguish the covert channel
packets from regular HTTP requests, decode the former and send the latter to the
Web server.
The method is fairly robust and easy to implement, but we can see that it is also
fragile and vulnerable to failure if there is a firewall or a natting machine in place
between the two hosts. In that case the IP header could be altered with a resulting
loss of data. In addition this system can easily be detected because the ID field values
are not randomly calculated but pre-determinable.
5.2.3
Initial Sequence Number Method
In the TCP protocol the ISN value guarantees flow reliability and control. Every
byte transmitted by the TCP stream has an 'assigned' sequence number. Each con-
nection (defined as a pair of sockets in communication) can be used for several flows
and the stronger the ISN calculation algorithm the more streams are available. At the
moment of connection the client host must determine the ISN value and launch the
so-called “three-way handshake.”
The ISN field is ideal for transmitting clandestine information because of its size
(32 bit). We can exploit this field in a similar way to the example given above. An
ISN value is generated from the ASCII character that we wish to code and transmit.
The packet with just the SYN flag active is the one that contains the coded data. The
recipient only has to read the ISN value and, in the following example, divide this by
65 536
∗
256
=
167 77 216. Below is an example showing transmission of the string
“MICKEY.”
Ascii('M') = 77
Ascii('I') = 73
Ascii('C') = 67
Ascii('K') = 75
Ascii('E') = 69
Ascii('Y') = 89
12:11:56.043339 foo.bar.com.57645 > test.bar.com.ssh: S
1300938487:1300938487(0)
Decoding: ... 1300938487 / 16777216 = 77 = 'M'
12:11:57.043339 foo.bar.com.46235 > test.bar.com.ssh: S
1235037038:1235037038(0)
Decoding: ... 1235037038 / 16777216 = 73 = 'I'
12:11:58.043339 foo.bar.com.46235 > test.bar.com.ssh: S
1140809246:1140809246(0)
Decoding: ... 1140809246 / 16777216 = 73 = 'C'
and so on.
