The scenario is the following. The victim is a host with a host-level
firewall which is blocking *all* incoming traffic. Somehow the attacker
still needs to communicate with a backdoor planted in this host.
Sounds to me like another variation of port knocking[1].
[1]
Sometime ago I
thought of the following idea for a covert channel. Although the idea of covert
channels is *not* new at all, I couldn't find anything in Google related to the
following method of implementing a covert channel.
The scenario is the following. The
victim is a host with a
if you have system access, why not capture packets at kernel level,
BEFORE they reach the firewall. your approach seems to be very noisy ;)
PASTOR ADRIAN wrote:
Sometime ago I thought of the following idea for a covert channel.it would be
better to intercept packets at kernel level BEFORE they
attacker sends packets - packets are dropped by firewall - packets
properties are captured in logs - backdoor reads logs and finds
encoded commands - commands are executed
As a covert channel? .. no, it's a waste. Once you have the access to
set that up, you could establish any number of
What you describe would be a variant of 'dead-drop' covert channels.
Other examples would be:
. The use of public message boards where one program/person initiates
a connection out to the board and posts a message with particular
words/phrases/passages and another program/person scans said
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Michael Holstein wrote:
attacker sends packets - packets are dropped by firewall - packets
properties are captured in logs - backdoor reads logs and finds
encoded commands - commands are executed
As a covert channel? .. no, it's a waste. Once
On Thu, Oct 06, 2005 at 10:22:07AM -0400, mudge wrote:
This type of covert channel has long been used by various governments
and organizations (think of clandestine messages being passed to or
from agents via personal ads).
There's one potentially interesting wrinkle to this scheme,
On Thu, Oct 06, 2005 at 10:06:24AM +0100, PASTOR ADRIAN wrote:
Please, if you know anything related to backdoors intercepting
commands from log files send me some links. Ideas, comments and flames
are more than welcome :-) .
I myself use this method to open up the SSH port for a
Please, if you know anything related to backdoors intercepting commands
from log files send me some links. Ideas, comments and flames are more
than welcome :-) .
Webbugs, which use unique URLs under an IMG tag, are an excellent
example of using logfiles to DO STUFF.
~Mike.
On Thu, 2005-10-06 at 16:52 -0400, Michael Holstein wrote:
Webbugs, which use unique URLs under an IMG tag, are an excellent
example of using logfiles to DO STUFF.
Except that vi, less or notepad don't import anything.
You're not looking at your log files with a web browser, do you??
-Frank
Frank Knobbe([EMAIL PROTECTED])@Thu, Oct 06, 2005 at 04:53:19PM -0500:
On Thu, 2005-10-06 at 16:52 -0400, Michael Holstein wrote:
Webbugs, which use unique URLs under an IMG tag, are an excellent
example of using logfiles to DO STUFF.
Except that vi, less or notepad don't import anything.
11 matches
Mail list logo