Sending the Information Payloads Back to the Servers
through TCP/IP Encryption without Anyone Noticing
Hammad Shah 07-0259, Raheel Maroof 07-0120, Junaid Inam 07-0180, Irum Maqsood 10-1127
Electrical Engineering Department, National University of Computer & Emerging Sciences
H11/4 A.K Brohi Road, Islamabad
hammad.shah@live.com, i070120@nu.edu.pk, junaidinam@hotmail.com, irum188@yahoo.com
Abstract- This paper describes an approach to covert channel
communications in the Microsoft Windows environment, which
is applicable to all versions of Windows. The goal of this
approach is to bypass network firewalls, as well as personal
firewalls. We achieve this by using Windows messaging to hijack
and control applications that have network access; accordingly
such applications are not blocked at the application level. The
cover channel is performed by a user process (Spyware) that
hijacks another user process (e.g. a browser or email client). Our
work is related to the Leaktest project, which analyses possible
flaws in personal firewalls. However, we show how to create a
concealed bidirectional channel. The presented method is
difficult to prevent, as Windows does not give processes
information about
the source of window messages.
1. INTRODUCTION
The basic purpose of our design scenarios is to leak illegally
gathered information about a user to our web servers. There
are many ways to implement this some of which we have
proposed and discussed in this research paper. A simple
example of this may be”
Spy program wants to get information about service program1.
1. When program other than service program is running,
spy program will get 1.
2. When spy program is running it will get 0.
Now spy program wants to keep track on only service
program 1. So it will get 0 even when service program 2 is
running.
i.e.: Service program 1 running -> 1
Service program 1 Not running -> 0
Information Leaked:
1. Service program running: Spy program gets to know
when service program is running.
2. Information Bits : Spy program accumulates these
bits to get new information.
Difference between time channel and covert channel is that,
information is passed at every time slot in time channel but in
case of storage channel information is given only when
request is made. As we can see that same information is
revealed by timing and storage channel hence convertible.
2. TCP/IP FRAGMENTATION
2.1 Covert Channel by Manipulating TCP Header
TCP is a connection oriented, reliable service as compared to
UDP which is a connectionless and non-reliable. The
connection between different parties using TCP is established
by means of a three way handshake described as below:
Step 1: In order to establish connection with Bob, Alice sends
packet to Bob with Synchronize (SYN) bit set announcing
new connection and an Initial sequence number (ISN) which
allows to track packets sent between Alice and Bob.
Step 2: Bob responds to the request by having SYN and ACK
bit set. Bob also adds his own sequence number along with the
Initial Sequence Number + 1 sent by Alice to indicate that the
previous packet was successfully received.
Step 3: Alice sends back a final ACK packet along with the
sequence number to complete the connection. Thus in the
above three way handshake the sender can encode the secret
data within the Initial sequence number. The actual
implementation of this is described in following sections.
2.2 Manipulating the TCP ACK to send spyware information
Using a predetermined message send by the server, when a
client receives this message it responds with an ACK but this
is a different ACK. This ACK contains 32 bit of our
information in the ACK number field.To distinguish between
this special message any flag may be used. Data rate achieved
will be considerably high considering 32 bits are transferred
per packet. Packet dump would be used to detect such a
method.
2.3 Manipulating the TCP reserved bits to send spyware
information
We can send 6 bits of our information per packet in the
reserved portion of the header. This isn’t used in TCP and is
reserved for future implementations. This would achieve a
lesser data rate than attack one and would be detected using
packet dump.
2.4 Manipulating the TCP ACKS bits to send spyware
information
Send a message from the server. Program the client to send
ACK after one retry for a 0 and after two retries for a 1. This
will give a much lower data rate but would not be detected by
packet dump.
2.5 Manipulating the TCP HLEN bits to send spyware
information
Send the data in the HLEN 4 bits in the header such that to
make the value greater than 60 bytes or less than 20 bytes.
This way the packet will look damaged at the server but we
will be able to extract the bits from the HLEN. Data rate
would be less than first two attacks but greater than the ACK
attack mentioned above. Again packet dump would detect this.
CONCLUSION
This paper demonstrated four practical methods of
communicating secret data over the internet by establishing
covert channels between the participating parties.
REFERENCES
[1] G.J. Simmons. The prisoners’ problem and the subliminal
channel. In CRYPTO ’83, page 51-67. Plenum Press,
1984.
[2] Serder Cabuk, Carla E. Brodley, Clay Shields. IP covert
Timing Channels: Design and Detection.
[3] John Giffin, Rachel Greenstadt, Peter Litwack, and
Richard Tibbetts. Covert messaging through TCP
timestamps. In Workshop on Privacy Enhancing
Technologies, volume 2482, April 2002.
[4] Andrew S. Tanenbaum. Third Edition Computer
Networks. Page no. 416 The IP protocol and page no. 524
TCP protocol.