In this post, we will study the relevant terms like; information security, attack on the network, TCP/IP, and also will discuss briefly a case study.
Introduction
Information security has nowadays become everyone’s need, either directly or
indirectly connected to the network environment.
Various research and development
have provided us sophisticated computer systems, networks, and complex software.
Due to the development of complex and sophisticated systems, different issues arise
regarding their security. Security has become one of the hot topics in information security with
regular news of data breaches.
One of the modern developments in computer networks has provided us with the TCP/IP
stack, which is a group of different communication protocols working through the
Internet and other various private communication networks which carry most of the
essential services running over the network.
Virtually all the large networks and
protocols like the Internet are designed on TCP/IP protocol suites.
Different protocols
such as IPsec, SSH, SSL, and TLS are used to provide security and privacy across network
communications.
According to various research done on TCP/IP by researchers, it was found that
TCP/IP was vulnerable to various types of attacks such as IP Spoofing, TCP syn flood
attack, Port Scanning, Data hiding, and various others.
By creating a covert channel in
protocols to send confidential data, data hiding in TCP/IP is done. Because of the
loopholes present in their design architecture, data hiding in the different protocols is
possible.
Various researches from different sources and sites on this topic are done and
data hiding in TCP protocols are shown to demonstrate how hackers can use these
systems for Penetration testing and also by cybercriminals to transfer data in an illegal
way in the evolving era of digital crime evolution.
Background
The use of data hiding technique has been followed since the period of Ancient
Greece.
The motive for data hiding compared with the past has not changed totally.
Before the process used to be carried out in an innocently looking cover and was sent
to the proper receiver who used to be aware of the information hiding technique.
The method is carried out in such a way that it could not be detected by third
parties.
The way of communication through the ages has been evolved and so did the
techniques of different methods of information hiding has also been upgraded and
different methods for secret communication are being used.
Although the method has
been developed the principles of the technique remain the same.
Among different data hiding techniques like cryptography, watermarking, and
steganography, one of the modern techniques in information hiding is network
steganography where secret messages are sent with the help of different protocols
in the network. This type of operation is mostly known as Covert Channel.
The idea of a covert channel was first introduced by Lampson in the year 1973 A.D.
Lampson used to define a covert channel as a channel that is used for the purpose
of transferring information only, not intended or designed for the purpose of
communications.
Later, Trusted Computer System
Evaluation Criteria (TCSEC) described covert channels as secret communication
that allows secret transmission of data and can also harm the policy of security. In
1983 A.D., a covert channel was stated as an entity for transmission of malicious data
secretly between different subjects
Covert Channel
The designed communication channel where the transfer of authorized data is done
within a network or computer system is known as an overt channel whereas a covert
channel is the kind of channel that allows the transfer of information between two
systems in a way that breaks the system’s security policy.
A covert channel is also
considered one of the main sub-disciples of Data hiding techniques.
The exchange of hidden information by individuals is done in an undetectable way under this
channel.
The exploitation of viruses, Trojans, and malicious messages is carried out
by covert channels in such a way that it gets undetected even by the firewall or
other detection system.
The covert channel can be identified as a serious kind of
vulnerability if it is combined with different sorts of malicious activities.
The existence of
covert channels can be noticed in two different kinds of systems which are stand-alone and network-based systems.
The secret information is passed between
different entities in the stand-alone system and the secret information is transferred
between the network in the case of network-based systems.
Classification of Covert Channel
A covert channel is generally classified into different types. Among various covert
channels two of them are described below:
Covert Storage Channel
A covert storage channel is the kind of communication channel that works by
placing data in an unexpected location which can be read by another individual or
system.
Involvement of direct/indirect, writing and reading values of the object are
done by receiver and sender in this channel.
It uses memory locations, such as
object attributes, their existence, and shared resources for data transmissions.
This
channel is easily implemented which is a greater threat to the system.
An example of a covert storage channel is an ICMP echo request used to send a ping
command between two systems.
Covert Timing Channel
A covert timing channel is the kind of communication channel that works by
modifying the use of resources like manipulating packets, frames, or message
timing that may be detected by receivers and can observe and decode the
information.
They can be active if the additional generation
of traffic is done and passive if the manipulation of the timing of existing traffic is done.
They carry information through the arrival interval of packets, rather than carrying
the packet contents.
They are more secure than covert storage channels.
Port knocking is an example of a timing channel where an individual tries to send
data to a remote system secretly which might probe different network ports on that
system in a precise order to transmit information slowly.
Covert Channel in TCP/IP Model
The TCP/IP Model consists of five different layers which are comparatively different from the OSI model which has 7 layers.
The different layers are mentioned below:
• Application Layer
The application layer presents unlimited opportunities for delivery of covert data
because the covert data can either reside inside the protocols header or can be
delivered as a payload.
The HTTP protocol is a fertile field for embedding covert
messages.
HTTP traffic to pass from internal hosts to Internet Web servers is
allowed even by some of the restrictive organizations.
Costly software is required
by HTTP packets for protocol compliance during the inspection which may result in
breaking web applications that are necessary for business.
Confidential
messages and videos can be delivered with the help of HTTP GET requests to the
browser and desktop sharing applications.
• Transport Layer
The reliability of the packet is maintained by Transport Layer.
In order to be the intended
receiver of the covert message, the source IP can be spoofed.
The critical
observation in the TCP layer is a three-way handshake.
The twelve fields of the TCP
header include many which are rarely checked and others that exhibit high
randomness. The position of the first-byte segment is identified by a 32-bit TCP
sequence number.
The source IP in this layer can be spoofed and can be used for
delivering secret data or wrong information from which it can be known that the
Transport Layer is vulnerable and can be used for creating the covert channels.
• Network Layer
Internet Protocol (IP) and its complement ICMP, IGMP, ARP, and RARP dominate
the network layer. Data are transferred in the form of packets across a
communication network in the network layer.
The IPv4 has 23 fields to carry
routing, service quality, and fragmentation.
The 8-bit type of value indicates delay, and throughput and can be used for carrying out covert data.
According to Craig
Rowland's demonstration, the 16-bit IP ID field to uniquely identify datagram
fragments can be hijacked and used for delivering confidential information.
• Physical Layer
Inside a LAN network, a physical interface like ethernet is highly operational.
In order
to map IP to mac address, the low-level protocol like ARP is operatable in this
layer. With the help of ARP, network tunneling can be created inside LAN.
Data
hiding inside a LAN network is provided by a covert channel in ARP.
Information
hiding in ARP is almost undetected because ARP protocols are always
operational.
• Data Link Layer
Datalink layer header provides only limited benefit in wide-area connection.
The
link-layer header is replaced every time a frame passes through a network device.
HICCUPS which stands for Hidden Communication System for Corrupted
Networks takes advantage of the implementation of data link layer headers in wireless
LANs.
It usurps flexibility and masks messages in wireless traffic that appears
corrupted by interference and the message encoded by it can only be decided on its own which is a greater problem in this layer.
Elimination of Covert Channel
Fully elimination of covert channels has not been proposed to date but it can be
reduced to some extent. Some of the ways are listed below:
• Limiting protocol support
Limiting protocol support at the switches, routers, gateways, firewalls, and proxies
also limits the possible covert channels which helps in reducing the covert
communication.
• Packet Header Mangling
In order to make packets consistent in their attributes in the traffic, the packets are
altered.
Hence, clearing the unused pointers, reserved bits, and state bits can
probably eliminate most of the covert channels.
Prevention of covert channels can
also be done by re-computing the checksums and length fields.
Network Steganography
The hidden communication technique in which legitimate traffic is used as a source
for transferring private information secretly over the untrusted network is known
as network steganography.
Its main idea is to hide data in the network protocols
header field or payload field or both.
The detection and extraction of network
steganography are very difficult as it is performed inside the tremendous network
flow compared to static multimedia steganography such as image steganography.
As the technology is evolving day by day and different organizations store their
information in the cloud, the use of steganography in networks is also growing rapidly
which has been a hot research topic for researchers.
Network steganography
is used for good purposes as well as dark purposes.
It can be used by network
administrators for securing network management-related communication by hiding
it from hackers.
The dark purpose of it is that the terrorist can use this method for
secret message transmission using the network protocols over the network
channel.
Hence, it can be said that network steganography is an effective means
of communicating secret information in the networks.
Literature Review
Case Study: A penetration case study from IBM X-Force Red
This is a real-time case study related to IBM X-Force Red where one of their Red
team was tasked to deliver a malicious payload to network users without alerting
the defensive team or setting off the security protocols. During their first attempt,
they tried sending a phishing email that was rigged up with the malicious payload
in order to check the security level of the defensive side. As expected by the Red
Team it was detected by the defensive team using an anti-malware sandbox.
In their 2nd attempt, Red Team came up with creative thinking and decided to use
Mozilla’s Firefox Send (FF Send) which is a legitimate file transfer tool from Mozilla.
After that, they needed a side channel in order to coordinate the sending and
receiving of data over that channel and also to hide their information from being
inspected and detected by the defensive team. The channel they chose for
carrying out secret communication was DNS protocol after they created a rogue
control server which was named Foxtrot, a mechanism used to carry out
communication between any number of the remote agents. After setting all things
up the Red Team started pushing the initial payload which passed all the dynamic
defenses secretly and helped the Red Team in moving data across intercepting
proxies. Execution of commands on the compromised hosts was also done
successfully even when the defensive team had security controls and monitoring
turned on.
In this way, Red Team successfully created a covert channel using DNS protocol
in the successful delivery of malicious payload without being detected or identified
by the defensive team.
Analysis
After the brief study on the above case, many things were analyzed on the attack
and how it was carried out successfully. After failing their first attempt by Red
Team, during their second attempt, the team used Firefox Send (FF Send) for the
secret delivery of the file. FF Send Tool might have been used because it had
different good features which allowed large size file up to 1GB for allowance to
both send and exfiltrate data in the payload and the tool used would encrypt and
decrypt the payload using AES-GCM algorithm directly in the internet browser
which was an advantage for the team as they did not need to create the generation
and distribution of key for the attack. The use of the Firefox domain was also one of their
advantages because the domain is a trusted domain on most organization controls
due to which the team did not have to create a fake site that would raise suspicion.
The domain can also slip through URL inspection and anti-phishing controls as
well as different blacklists that organizations set to capture harmful content coming
from rogue resources.
Similarly, DNS protocol might have been chosen for creating a secret
communication channel because DNS has decent packet capacity and a good
chance of blending in with legitimate user traffic that would make it easier for the
coordination in order to send and receive the confidential information. All the
scenario was critically thought out by the members of the Red Team and was applied in real-time which made the attack successful in the delivery of malicious payload
by creating the covert channel.
Scenario
Relating to the above case study a similar attack will be created for the secret
communication between two devices without alerting any other hosts. Compared
with the above case study, the FF Send tool has been used for the transmission of
secret files whereas the Netcat tool will be used for the sending and receiving of secret
messages between two devices in this attack. In the mentioned case study, DNS
protocol has been used as a communication medium whereas TCP protocol will
be used as a channel for the medium of communication between the devices in this
attack to create a covert channel.
0 Comments
Feel Free To Ask Any Queries?