Network Covert Channels

A top down approach

Created by Felipe Pr0teus
Blog || @Pr0teusBR

$whois Felipe.Pr0teus

Não trabalho na Proteus.

  • Works for TJRJ
  • Security Researcher(Independent)
  • Love coffee!
  • Like to Help

Disclaimer

The data, or the results found here were tested in controled environment, may or may not correspond to a real life situations. My employer has nothing to do with it =D

Agenda

  • Data Exfiltration.
  • Remote Access, Botnet C&C and so on
  • If you play defensive: Knowledge

Motivation

  • Data Exfiltration.
  • Remote Access, Botnet C&C and so on
  • If you play defensive: Knowledge

Covert Channels

Intention to leak information

vs

Side Channels

Not intended to leak any information

Types

  • Storage
  • Timing
  • Protocol
  • Hopping
  • Hybrid

Storage

StealthyCapacityRobustness

Timing

Protocol

Hopping

Scenarious

By network position: Active vs Passive By Capacity: Client/Server vs Both

Properties

stealh octopus stealth

Top-Down approach

OSI-model

but first...

shall we play a game ?!

Layer 7 8(Users)

Common protocols:

OSI-model

Layer 7

Common protocols:

OSI-model

Layer 6

Common protocols:

OSI-model

Layer 5

Common protocols:

OSI-model

Layer 4

Common protocols:

OSI-model

Layer 3

Common protocols:

OSI-model

Layer 2

Common protocols:

OSI-model

Detections and Defenses

Kinda hard to detect and eliminate. Always prefereable detect than eliminate

As usual:

  • segment your network
  • Manage & block unused protocols
  • Signatures or Heuristic

Detections and Defenses

keep going...

  • packet normalization
  • inject random delay on network
  • Document the covert channel technique
  • limit their capacity

Conclusions

Any Questions ?!

Capture The Flag - Results

Based on ACK - first written in 2006 by Laurent Butti http://rfakeap.tuxfamily.org/#Raw_Covert

The 1st flag is:
FLAG


The is a 2nd ?! it's matter of time ! Tweet and meet me @Pr0teusBR and @CONFdence!

Thanks !

Contacts: E-mail(ask-me), @Pr0teusBR or RL ;)