valletta - nyscsc 2011 - data exfiltration using covert channels
DESCRIPTION
http://thecobraden.com/uploads/Valletta%20-%20NYSCSC%202011%20-%20Data%20Exfiltration%20using%20Covert%20Channels.pdfTRANSCRIPT
![Page 1: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/1.jpg)
By Jake Valletta
June 8th, 2011
![Page 2: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/2.jpg)
About Me
Education A. S. Hudson Valley Comm. College, 2009
B. S. Rochester Institute of Technology, 2011
○ Information Security & Forensics
Experiences Numerous Internships
MANDIANT Corp., June 2011
○ Pen testing / Incident Response
Interests Network Security & Forensics
Binary / Malware Analysis
Programming: C / Python
![Page 3: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/3.jpg)
Agenda
Data Exfiltration
Covert Channel Basics
Examples
Demonstrations
Detection Methods
Conclusion
![Page 4: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/4.jpg)
![Page 5: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/5.jpg)
Data Exfiltration
The leaking of sensitive information
Company secrets
Source code
Client information
A primary goal of an attacker
Can have a big impact on company
![Page 6: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/6.jpg)
Impact
Loss of company & client information
Company’s reputation at stake
○ Sony anyone…?
Per state law, incidents must be reported in
several states
○ NYS Information Security Breach and Notification Act 2005
![Page 7: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/7.jpg)
Attack Life Cycle
Source: Ed Skoudis, Tom Liston - Counter Hack Reloaded, 2006 (Pearson)
Reconnaissance ○ Whois, Company Website
Scanning ○ Port scanning, service enumeration
Gaining Access ○ Exploiting software, buffer overflows
Maintaining Access ○ Root-kits, backdoors
Covering Tracks & Hiding ○ Cleanse logs, exfiltrate data
![Page 8: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/8.jpg)
Exfiltration Methods
Source: A. Giani et al. - Data Exfiltration and Covert Channels
Physical
USB Thief
Laptop Thief
Cognitive
Social Engineering
Shoulder Surfing
Network Based
FTP / SSH / HTTP
Network–based Covert Channels
![Page 9: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/9.jpg)
…But I have a firewall(s), right?
Source: http://www.cisco.com
![Page 10: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/10.jpg)
Firewalls: Not the Cure-all!
Not as much focus on outbound traffic
Majority are signature-based
Need to be configured properly to be
effective
![Page 11: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/11.jpg)
![Page 12: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/12.jpg)
Covert Channels
“Covert channels use means of communication not
normally intended to be used for communication, making
them quite elusive.”
Source: caia.swin.edu.au/cv/szander/publications/szander-ieee-comst07.pdf
“Encryption only protects communication from being decoded by unauthorized parties, whereas covert
channels aim to hide the very existence of the communication.”
![Page 13: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/13.jpg)
Prisoner Problem
![Page 14: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/14.jpg)
Prisoner Problem
![Page 15: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/15.jpg)
Prisoner Problem
Allows a secret communication channel across an
unsecure channel
Nothing unordinary is observed, so it is stealthy
Role of Wendy the Warden can impact the
channel’s effectiveness
Active, Passive, Malicious
![Page 16: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/16.jpg)
Covert Channel Types
Storage Based
○ The information we want to send is ‘stored’
somewhere in the overt communication channel
Timing Based
○ The timing of an overt communication channel is
the covert channel
![Page 17: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/17.jpg)
Storage Channels
Hide data in protocol headers
Requires modification of overt channel, OR a
‘fake’ overt channel
Some can be detected and mitigated with
proper firewall rules
![Page 18: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/18.jpg)
Timing Channels
Very difficult to create
Latency issues
Very difficult to find
Doesn’t require modification to an existing
communication stream
![Page 19: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/19.jpg)
![Page 20: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/20.jpg)
Things to Consider
![Page 21: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/21.jpg)
Things to Consider
Do we need bidirectional or unidirectional
covert channel?
What kind of warden is present?
![Page 22: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/22.jpg)
Python
Modern interpreted programming language
Powerful, fast & easy to follow syntax
Extensive built-in libraries
Plays well with C / Java / .NET code
Open-source
Language of choice for ‘hackers’ and reverse-
engineers
Excellent for prototyping and POC code
Python Website: http://www.python.org/
![Page 23: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/23.jpg)
Scapy
Powerful interactive packet manipulation
program
Forge and decode custom packets
Sniff network traffic or read captured packets
Combines functionality of many tools
○ nmap, hping3, p0f, tcpdump
Can import into Python 2.5+
Scapy Website: http://www.secdev.org/projects/scapy/
![Page 24: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/24.jpg)
Coding a TCP Packet in C
![Page 25: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/25.jpg)
Coding a TCP Packet in C
![Page 26: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/26.jpg)
…And with Scapy
![Page 27: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/27.jpg)
![Page 28: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/28.jpg)
ICMP – The Protocol
Internet Control Message Protocol
Used in error reporting & network diagnostics
‘ping’ (Echo Request / Reply)
Windows ‘tracert’ (TTL Exceeded)
Need to Fragment, Destination Unreachable, Port
Administratively Filtered, Redirect, etc.
Should be disabled (?)
![Page 29: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/29.jpg)
The ICMP Header
Source: http://www.insecure.in/packet_header_analysis.asp
![Page 30: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/30.jpg)
ICMP Echo Request
*ICMP Echo created by Windows NT TCP/IP Stack
![Page 31: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/31.jpg)
Analysis
Type – 0x08 (Echo Request)
Distinguishes this as a ‘ping’
Code – 0x00
Checksum
Checked for packet integrity by routers
ID – 0x0001
Sequence – 0x0001
Data – 32 bytes
Of what…?
![Page 32: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/32.jpg)
Exploring
According to RFC 792, the only value for the
code field in an ICMP Echo message is 0.
Code is used in other ICMP messages (think ‘subtype’)
Changing the code does not invalidate the message
ID differentiates sessions, much like a TCP /
UDP port
Changing the ID does not invalidate the message
Sequence is a counter for a session
Changing the Sequence does not invalidate the message
![Page 33: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/33.jpg)
Options
A storage based covert channel can be created
using these fields
Each field can hold data to be sent
Data can be tunneled over the payload field
Encryption to obscure context
Shouldn’t be detected / blocked by IDS or Firewall
![Page 34: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/34.jpg)
Restrictions
Some networks filter / drop ICMP traffic
Superfluous traffic
Additional attack vector
Could be detected by IDS
Why so many pings?
Concept has been around for awhile
lokid (Phrack Magazine, 1997)
![Page 35: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/35.jpg)
![Page 36: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/36.jpg)
DNS – The Protocol
Used primarily for name resolution
What is the IP address for www.google.com?
Hierarchical design
Must be allowed in and out of firewall
![Page 37: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/37.jpg)
A DNS Request
![Page 38: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/38.jpg)
Exploring
The query of the request could be modified
DNS lookups for A, CNAME and TXT records
The ‘Name’ field can contain our data
Multiple ‘questions’ can be specified
But packet size must be less than MTU, as DNS sets
‘Don’t Fragment’ flag in IP header (per RFC)
Valid DNS requests use character: [a-zA-Z0-9\-]
![Page 39: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/39.jpg)
Example Flow
![Page 40: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/40.jpg)
Options
Looks like a legitimate DNS request
How can an IDS tell it’s forged?
Encryption can obscure the message
Provides a good unidirectional covert channel
Can be made bidirectional with CNAME / TXT requests
(OZYmanDNS, NSTX)
![Page 41: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/41.jpg)
Advantages
Shouldn’t be blocked by any firewall
DNS is required to be allowed out of the firewall
Very hard to detect or filter
You’d be surprised what domains exist
Even if it is detected, encryption can protect
payload
![Page 42: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/42.jpg)
![Page 43: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/43.jpg)
IPv6 / ICMPv6 – The Protocols
Next Generation
Development started in early 1990s
Secure (?)
Slowly but surely replacing IPv4
ICMPv6 is integrated into IPv6
Neighbor Discovery Protocol (NDP)
![Page 44: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/44.jpg)
ICMPv6 Echo Request
![Page 45: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/45.jpg)
Exploring
Traffic Class is the replacement for ‘Type of
Service’ in IPv4
Used in real-time data (VoIP)
Flow Label is used to quickly process real-time
data
Saves time by not examining entire header, because it
already knows about this ‘flow’
Code, Sequence, and ID are still the same
Ping6ed machine won’t respond if code isn’t 0
![Page 46: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/46.jpg)
Options
Traffic Class & Flow Label can be modified
Shouldn’t affect packets travel (?)
Modulate ICMPv6 fields
Just like ICMPv4
Tunnel Data in payload section
v00d00N3t (R. P. Murphy, DEFCON14)
![Page 47: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/47.jpg)
Advantages
Still not fully understood / deployed
Firewalls / IDS might not be fully aware
RFC’s might not be strictly followed
ICMPv6 cannot be turned off anymore
“ICMPv6 is an integral part of IPv6 and MUST be fully
implemented by every IPv6 node.” (RFC 2463)
![Page 48: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/48.jpg)
![Page 49: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/49.jpg)
Topology
![Page 50: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/50.jpg)
(Good luck!)
![Page 51: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/51.jpg)
The Problem
The very nature of a covert channel makes it hard
to find
How do you know to look for something that you don’t
know you needed to look for?
Once you do detect it, how do you stop it?
The data is already leaked!
![Page 52: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/52.jpg)
Solutions
Signature-based Approach
How most antivirus, DLP, IDS & IPS solutions work
Will not detect new covert channels
Resource intensive
Behavioral-based Approach
Not as common
Resource intensive (full packet inspection)
Capability to detect known and unknown storage channels
![Page 53: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/53.jpg)
![Page 54: Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels](https://reader031.vdocuments.net/reader031/viewer/2022020320/55cf94c4550346f57ba43c86/html5/thumbnails/54.jpg)
Contact Information
http://www.linkedin.com/pub/jacob-valletta/20/aa1/57
Questions, ideas, source-code, projects, etc.