This paper describes an approach to Covert Channel communications in the Microsoft Windows environment, which is applicable to all versions of Windows. The goal of this approach is to bypass network firewalls, as well as personal firewalls. We achieve this by using Windows messaging to hijack and control applications that have network access; accordingly such applications are not blocked at the application level.
This paper describes an approach to Covert Channel communications in the Microsoft Windows environment, which is applicable to all versions of Windows. The goal of this approach is to bypass network firewalls, as well as personal firewalls. We achieve this by using Windows messaging to hijack and control applications that have network access; accordingly such applications are not blocked at the application level.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOCX, PDF, TXT or read online from Scribd
This paper describes an approach to Covert Channel communications in the Microsoft Windows environment, which is applicable to all versions of Windows. The goal of this approach is to bypass network firewalls, as well as personal firewalls. We achieve this by using Windows messaging to hijack and control applications that have network access; accordingly such applications are not blocked at the application level.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOCX, PDF, TXT or read online from Scribd
Sending the Information Payloads Back to the Servers
through TCP/IP Encryption without Anyone Noticing
Hammad Shah 07-0259, Raheel Maroof 07-0120, Junaid Inam 07-0180, Irum Maqsood 10-1127 Electrical Engineering Department, National University of Computer & Emerging Sciences H11/4 A.K Brohi Road, Islamabad hammad.shah@live.com, i070120@nu.edu.pk, junaidinam@hotmail.com, irum188@yahoo.com
Abstract- This paper describes an approach to covert channel 2. TCP/IP FRAGMENTATION
communications in the Microsoft Windows environment, which is applicable to all versions of Windows. The goal of this 2.1 Covert Channel by Manipulating TCP Header approach is to bypass network firewalls, as well as personal firewalls. We achieve this by using Windows messaging to hijack TCP is a connection oriented, reliable service as compared to and control applications that have network access; accordingly such applications are not blocked at the application level. The UDP which is a connectionless and non-reliable. The cover channel is performed by a user process (Spyware) that connection between different parties using TCP is established hijacks another user process (e.g. a browser or email client). Our by means of a three way handshake described as below: work is related to the Leaktest project, which analyses possible flaws in personal firewalls. However, we show how to create a Step 1: In order to establish connection with Bob, Alice sends concealed bidirectional channel. The presented method is packet to Bob with Synchronize (SYN) bit set announcing difficult to prevent, as Windows does not give processes new connection and an Initial sequence number (ISN) which information about allows to track packets sent between Alice and Bob. the source of window messages. Step 2: Bob responds to the request by having SYN and ACK 1. INTRODUCTION bit set. Bob also adds his own sequence number along with the Initial Sequence Number + 1 sent by Alice to indicate that the The basic purpose of our design scenarios is to leak illegally previous packet was successfully received. gathered information about a user to our web servers. There are many ways to implement this some of which we have Step 3: Alice sends back a final ACK packet along with the proposed and discussed in this research paper. A simple sequence number to complete the connection. Thus in the example of this may be” above three way handshake the sender can encode the secret Spy program wants to get information about service program1. data within the Initial sequence number. The actual 1. When program other than service program is running, implementation of this is described in following sections. spy program will get 1. 2. When spy program is running it will get 0. 2.2 Manipulating the TCP ACK to send spyware information Now spy program wants to keep track on only service program 1. So it will get 0 even when service program 2 is Using a predetermined message send by the server, when a running. client receives this message it responds with an ACK but this i.e.: Service program 1 running -> 1 is a different ACK. This ACK contains 32 bit of our Service program 1 Not running -> 0 information in the ACK number field.To distinguish between this special message any flag may be used. Data rate achieved Information Leaked: will be considerably high considering 32 bits are transferred 1. Service program running: Spy program gets to know per packet. Packet dump would be used to detect such a when service program is running. method. 2. Information Bits : Spy program accumulates these 2.3 Manipulating the TCP reserved bits to send spyware bits to get new information. information Difference between time channel and covert channel is that, We can send 6 bits of our information per packet in the information is passed at every time slot in time channel but in reserved portion of the header. This isn’t used in TCP and is case of storage channel information is given only when reserved for future implementations. This would achieve a request is made. As we can see that same information is lesser data rate than attack one and would be detected using revealed by timing and storage channel hence convertible. packet dump.
2.4 Manipulating the TCP ACKS bits to send spyware
information Send a message from the server. Program the client to send ACK after one retry for a 0 and after two retries for a 1. This REFERENCES will give a much lower data rate but would not be detected by packet dump. [1] G.J. Simmons. The prisoners’ problem and the subliminal 2.5 Manipulating the TCP HLEN bits to send spyware channel. In CRYPTO ’83, page 51-67. Plenum Press, information 1984. Send the data in the HLEN 4 bits in the header such that to [2] Serder Cabuk, Carla E. Brodley, Clay Shields. IP covert make the value greater than 60 bytes or less than 20 bytes. Timing Channels: Design and Detection. This way the packet will look damaged at the server but we [3] John Giffin, Rachel Greenstadt, Peter Litwack, and will be able to extract the bits from the HLEN. Data rate Richard Tibbetts. Covert messaging through TCP would be less than first two attacks but greater than the ACK timestamps. In Workshop on Privacy Enhancing attack mentioned above. Again packet dump would detect this. Technologies, volume 2482, April 2002. [4] Andrew S. Tanenbaum. Third Edition Computer CONCLUSION Networks. Page no. 416 The IP protocol and page no. 524 TCP protocol. This paper demonstrated four practical methods of communicating secret data over the internet by establishing covert channels between the participating parties.