Based on a true series of events:
"...I was ready to begin this long-awaited vacation at that awesome paradisical location I've been dreaming of for years. Oh no! The moment I stepped out of the room it hit me: I'd completely forgotten to send that incredibly urgent and important email before leaving home. This needs to be fixed right now! But how? Look at me, I'm at this oceanic hotel villa under a palm tree in the middle of nowhere. Internet pricing here is absurd, there's no way I'll pay for this… what can I do?"
Don't worry, our vacationer made it. The urgent-yet-forgotten email was sent (and our protagonist didn't get fired in the process) after bypassing the firewall-proxy implemented at the hotel villa using a covert channel (red team tools FTW! ).
But how was this accomplished? The main issue was that the hotel's Internet management software blocked every HTTP request made, by redirecting all traffic to a captive-portal specially made for this purpose. This is pretty common among clubs or airport hotspots you may encounter in the wild. Paying the internet fee will usually get you through, but this story actually takes the opposite route.
So, where's the catch? How do we circumvent this? First, let's find our attack vector. To be able to reach the proxy, the firewall allowed queries to be resolved and it answered them with their actual true DNS record. Once the connection to that true record was attempted, the proxy in between stepped up and replaced the response with a HTTP redirection to the "pay here first please" pagel.
For clarification, let's look at the network diagram below. You can see that an attacker (the vacationer in our story) connects to the hotel network and then tries to reach anything to connect to it (the same way you browse the Internet or send an email). To do that, a DNS request is made, and the firewall in place forwards this to the running nameserver (NS) service. In case the nameserver doesn't know the answer, apply a recursive seek for the records against the authoritative nameservers.
To complement this story, we must imply that the actual implementation on the hotel blocked navigation once the DNS record was received, and the computer tried to reach it using HTTP. This is due to the web proxy in place configured to deny internet access to non-paying customers.
So what was the trick to deceiving these controls? Our vacationer actually had a configured authoritative name server that answered queries for a determined own-controlled domain name, and by doing so, encoded-as-a-subdomain information was able to leave the local network without problems—using what's known as a "covert channel".
Keeping all this in mind, we're going to show you what a covert channel is, how it works, what tools and techniques are out there to make it happen, and what other tools can help network administrators detect and avoid information leaks.
Surprised? The hotel surely was. Take a look at "Breaking Cybersecurity Myths" and check out how some common "I'm secure" assumptions can lead you to being vulnerable, and without even noticing!
- Covert channels, what are they?
- Tools that may help in creating a channel
- How far can extrusion techniques go?
- Covert channel detection… is it possible?
Covert channels, what are they?
Here's a raw definition: "A communication channel specially made to send information in a stealthy way from one system to another is commonly known as a covert channel".
The assumed main objective of covert channels within information systems is to extrude data from the electronic bounded premises of servers and networks, also known as data breach. It's important to note that the main objective of the covert channel is not to hide the transmitted information, but to hide the fact that the channel actually exists; the obscured information transmission is in fact a highly desired product of that very stealth channel existence.
This itself leaves an amazing opportunity open, one that lets you consider every possible way you can send information using existing channels without being noticed. Here are a couple that we'll be addressing in this article:
- ICMP data extrusion
- DNS data extrusion
And for a few really good examples of how far can this go, check out:
- GPU radio transmitting data exfiltration
- Power Supply data exfiltration
- Computer fans data transmission
- Ultrasonic data transmission using speakers
While all of these can be mind-blowing, we'll focus on DNS covert channels in this post.
DNS covert channels 101
Despite the clickbait-like title, this kind of channel really does give us an interesting and clever technique that's used to exfiltrate data. We think that learning about it makes for a very worthy read.
As we mentioned in our introduction, there are several "players" in this scenario that make this kind of "attack" possible. A few of them are:
A domain name in control of the attacker, in this example, "exfiltrate-me.pls".
A fake authoritative name server that answers DNS queries for this domain.
A recursive name server that will allow us to pivot between the local-and-privileged network to the external net, where our exfiltrated data will be received.
Among your options is using this technique to connect to remote additional parties, a gateway to the Internet, onion net, VPN, or another network you wish to access.
Rather than mentioning any particular implementation, one idea behind this way to exchange information is showcased in the image below. From the extrusion side of the transmission, we send some commands encoded as subdomains of our own "in control" domain name.
This subdomain will be received by our fake authoritative server, which will understand this transmission and act accordingly. This could be to store information, or transmit anything to a third party.
In the case of our vacationer, it means connecting to the internet to send an email.
Once information is received and the execution of the desired command is completed, a response message could be sent in many different ways. Depending on the record type we asked the pivot recursive DNS server to query, the response length may vary (and as we said earlier this isn't a 'high speed' mode of communication).
Below you see an example of what a response should look like. This response will be decoded by the attacker, whether it's web page navigation data or a confirmation message of some kind.
As we've seen in this section, DNS is highly useful for inserting information into or taking information out of a network without being noticed, but it's not the only technique out there.
Now we'll dig a little deeper into other protocols and show you a few tools that can help you accomplish your covert channel venture.
ICMP covert channels 101
Another interesting way to ship information within its payload is using the internet control message protocol (ICMP for short). As with DNS covert channels, there are different implementations depending on what the author wants to accomplish, but as a general rule, they encode information using a high-speed encoding algorithm, such as base64.
By taking advantage of the unused data section, it's possible to send encoded information to a specific destination. This can also be obscured using different techniques like compression, string swapping (such as rot13 encoding), or encryption on the slower end.
Let's look at some useful pieces of software that will help you deploy this kind of solution quickly.
Tools that may help in creating a channel
Here's a list of tools that might help make the job easier, when creating a covert channel over DNS:
- iodine - Tunnel IPv4 data through DNS servers
- dns2tcp - Tool for relaying TCP connections over DNS
- dnscat - Tool to make VPN over DNS like connections (claimed to be deprecated)
- dnscat2 - Evolution of dnscat, made specifically for command and control use cases
- dnstunnel - DNS tunnel based on the work of Dan Kaminski's OzymanDNS scripts
All of these tools actually do similar things to accomplish one main goal, even if they differ in a number of ways—from their implementation and focus on the problem to the actual connection speed you'll experience when using them.
Here's a list that will help you create ICMP covert channels:
- ptunnel-ng - Evolution of ptunnel, it tunnels TCP connections inside ICMP packets
- hans - Tunnels IPv4 through ICMP packets, even runs in Windows
These tools exploit the most commonly seen covert channel protocols, but in the next section, we'll show you how many others are possible to exploit, and how you can put them to use for this purpose.
How far can extrusion techniques go?
One special tool we wanted to showcase in this post is PyExfil. It really is worth mentioning because it summarizes many different techniques to make data exfiltration and communication outside premises possible, while making extrusion detection extremely difficult (but let's not say "impossible").
This tool's GitHub page lists numerous ways to do just that, including a nice modular approach. They're meant to be a compilation of "proof of concepts" rather than an actual tool that's suitable for a red team, and despite that, this piece of work truly makes us wonder how we can protect ourselves from this, and other undisclosed ways, to communicate between systems.
Here's a list extracted from their website which shows different techniques that could be used and configured using PyExfil to build an extrusion proof of concept.
Or... we can go all science-fiction here and create stealth communications by activating electronic microphones using lasers:
Covert channel detection… is it possible?
That's a tough question. There are no silver bullets, magic spells or a single have-it-all product, only the knowledge that "security is a process". There are of course a number of countermeasures you can look to, and there are some good books available that cover the topics of security monitoring. To name a few:
- The Tao of Network Security Monitoring, and its sequel
- The Practice of Network Security Monitoring
- Extrusion Detection, which directly addresses the case of insider attacks
- Real Digital Forensics is a good post-mortem approach to check out
- Zero Trust Networks, for a network design approach to defense.
All of these resources address different tools and points of view, including traffic capture and inspection, IDS/IPS configurations, network tampering devices, test access ports setup, secure network design, and network information forensic treatment and analysis (in case you need to make something legal out of your findings).
We want to go a little deeper into one of these topics. In this next section, let's explore a new way to create networks and place network equipment and servers that may be of great help in making the attacker's job more difficult.
"Zero trust networks" and defensive network architecture design
Zero trust architectures try to solve the problems of information leakage by defining zones in which services are run. On the contrary, in traditional "zone trusting model" you usually trust between an application and a database server which share the same network segment (zone) and there are usually no filtering involving communication between them.
This architecture paradigm states that all zones (network segments, or service type categorization) should no longer belong together—and that we should assume they are not all to be mutually trusted.
To accomplish this, the firewalling takes on a new role by becoming a central piece of interconnection between the different zones; where one of them could be the internet, and the other an application server zone.
Only explicitly allowed network flows will pass, and those who do are subject to inspection by intrusion detection systems and network security monitoring.
Detecting network extrusions is paramount whether we're talking about enterprise, health-care, government, or any other sector that involves private and classified information.
The kind of techniques we wrote about today are always increasing the level of difficulty network administrators face when avoiding data exfiltration.
As new and clever ways of communication between systems continue to arrive on the scene, defensive network administrators have to keep up and continually upgrade their countermeasures so they're able to detect and stop possible threats.
This has been true for quite some time now, in the plausible to advanced persistent threat attacks industry, which constantly encounters different ways of stealing protected information.
Need to keep an eye over your digital assets?
Our API and SurfaceBrowser™ tools will boost your quest in discovering your project’s digital footprint, historic records trace and help you find how they may publicly expose sensitive information. Contact our sales team and schedule a call today and check what else we can do for you!