This post is to try outline the concept of what a covert channel is by carrying out a simple demo.
What is a Covert Channel?
A covert channel is described as: “any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy.” Essentially, it is a method of communication that is not part of an actual computer system design, but can be used to transfer information to users or system processes that normally would not be allowed access to the information.
“Communication path not intended as such by system’s designers”
In the case of TCP/IP, there are a number of methods available whereby covert channels can be established and data can be surreptitiously passed between hosts.
If an attacker gains access infects the system, covered their tracks the attacker still needs to communicate out.
Covert_TCP 1.0 – Covert Channel File Transfer for Linux
Written by Craig H. Rowland (email@example.com)
Covert_TCP uses extra space in a TCP or IP header. Program a hacker uses to send a file through a firewall one byte at a time by hiding the data in the IP header.
The tools description of itself:
‘This program manipulates the TCP/IP header to transfer a file one byte at a time to a destination host. This progam can act as a server and a client and can be used to conceal transmission of data inside the IP header. This is useful for bypassing firewalls from the inside, and for exporting data with innocuous looking packets that contain no data for sniffers to analyze. In other words, spy stuff.’
Open 3 terminals, the sender, the receiver and the listener.
In 1 create a send directory within tmp and then a file called send.txt.
echo "Hello" > send.txt
In another terminal create a receive directory within tmp.
Within the receive directory (cd /tmp/receive) run the following command:
It will direct the listener to wait for the coming TCP from port 9999 going to port 8888.
/home/tools/convert_tcp -dest 127.0.0.1 -source 127.0.0.1 -source_port 8888 -dest_port 9999 -server -file /tmp/receive/receive.txt
Within the send directory (cd /tmp/send) run the following command:
/home/tools/convert_tcp -dest 127.0.0.1 -source 127.0.0.1 -source_port 9999 -dest_port 8888 -file /tmp/send/send.txt
The 3rd terminal will be used to sniff the traffic been sent across using tcpdump.
tcpdump -nvvX port 8888 -i lo
Navigate to the receive folder upon completion to verify that it now contains the send.txt file with its content and renamed it to receive.tx as stated in our command.