Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Covert File Transfer through ICMP

advertisement 
Covert File Transfer Through ICMP
Bryan Hartley
Neal Rollins
Byrav Kadalur
Chandy Kuriakose
Table of Contents
Abstract.....................................................................................................................................................3
Purpose......................................................................................................................................................3
Background...............................................................................................................................................3
Design and Process...................................................................................................................................4
Organization.............................................................................................................................................4
Deliverables..............................................................................................................................................5
Abstract
There are many different ways to send a file across a network, including sftp, ftp, and http. Each
of these use TCP connections. However, TCP connections are easily blocked on a network through
methods like port blocking, and the information is likely to be logged, meaning that whatever you do,
they can find out easily. What is desired is a discreet method to send a file, one that could contain
sensitive data. One possible solution is to send the file through PING packets. In a ICMP packet, on
which PING is based, there is a few bytes of important information, but then the rest of the 64k packet
is empty data. The contents of that part of the packet might be able to be manipulated to contain the
data we want to send. As many networks ignore PING traffic, it would make a suitable medium for
transferring data discreetly.
Purpose
The purpose of this project is to create a software system that will send the contents of a file
across a network through the ICMP protocol, making the packets appear to be normal PING packets to
any intervening devices, such as a firewall. This system will be in two parts: a sending program, and a
receiving program. The sending program will construct the packets so that they appear to be normal
PING packets with the data it will read from the specified file. It will then send these packets to the
receiving system. The receiving end will log all the special PING packets received. It will then go back
through when done and extract the useful data and put it in the order necessary. Therefore, there are the
following milestones: Sending arbitrary data in a PING packet, Logging a PING packet, recognizing a
special PING packet that should be logged, and reconstructing the data after it has been sent.
Background
PING is a part of the ICMP protocol and is used to test if a host is reachable across a network.
ICMP is a critical component of the IP network layer. By it's nature, it is a connectionless protocol .
Ping uses the ICMP protocol's mandatory ECHO_REQUEST datagram to elicit and ICMP
ECHO_RESPONCE from a host or gateway. ECHO_REQUEST packets have an IP and ICMP header,
followed by a ``struct timeval'' and then an arbitrary number of ``pad'' bytes used to fill out the packet.
The structure of the PING packet is as follows. An IP header without options is 20 bytes. An
ICMP ECHO_REQUEST packet contains an additional 8 bytes worth of ICMP header followed by an
arbitrary amount of data. When a packetsize is given, this indicates the size of this extra piece of data
(the default is 56). Thus, the amount of data received inside of an IP packet of type ICMP
ECHO_REPLY will always be 8 more than the requested data space (The ICMP header).
If the data space is at least 8 bytes large, ping uses the first 8 bytes of this space to include a
time stamp which is uses in the computation of round trip times. If less than eight bytes of pad are
specified, no round trip times are given. See Figure 1.
Figure 1: ICMP packet format
To create the custom packets needed, raw sockets will be used. Raw socket is a software
interface through which a process can fully control the packets it sends or receives to or from the
network. This is done by bypassing the network stack of the host and communicating directly with the
device driver. Thus, both the IP layer and the ICMP protocol will have to be implemented, although
not in their entirety.
Design and Process
For our purposes, 2 virtual machines will be used to simulate a small network. A firewall on one
machine will block all TCP and UDP connections, so as to prevent any other form of communication.
Both machines will be running Gentoo Linux so as to provide the most flexible platform for
development and testing. The sending machine will have a large file (about 1MB) that is to be sent. It
will also have the program that will send the PING packets. The firewall will be on this machine,
blocking outgoing connections that are not desired. On the receiving machine, the kernel will be
specially compiled so that the PING packets will be logged. The linux kernel handles the reply of
incoming ping packets, therefore, the kernel has to be specially setup so that the packets can be handled
differently. Finally, a separate program will parse the PING log file after the transfer is done. It will
strip unwanted PING packets send, as they would be ones from other computers, and the PING header
information. It will extract the desired data in order and save it to an output file that will represent the
data sent.
Organization
The responsibility of the team are broad and need to be flexible. However, team members are
assigned tasks based on their expertise. Bryan Hartley is the team leader. He is responsible for
organizing the team and delegating tasks, as well as coordinating the team. He is also the primary
Linux and C guru. Neal Rollins is responsible for the primary C coding, thus primary on the receiving
side of the system. Byrav Kadalur is responsible for socket programming, thus primary on the sending
side of the system. Chandy Kuriakose is responsible for other miscellaneous programming, such as
extracting the data from the PING log. These assignments are loose, and all members will end up
working on some of everything.
Deliverables
This project will result in several pieces of code. It will produce a program that constructs
specialized PING packets. It will have a program that will parse a log of PING events, and a Linux
kernel patch that enables PING logging. For a demonstration, the system will run in a virtual
environment, and the respective virtual machines can be made available as well.
Related documents
User DOS FOR Syntax
User DOS FOR Syntax
Chapter-2
Chapter-2
Networking LAN and beyond LAB
Networking LAN and beyond LAB
UDP Pinger - Network Systems Laboratory
UDP Pinger - Network Systems Laboratory
Trace Flow Presentation
Trace Flow Presentation
Document
Document
Chapter 8
Chapter 8
D4_PTAct_1.4.1.4_student
D4_PTAct_1.4.1.4_student
Solution to Wireshark Lab: ICMP
Solution to Wireshark Lab: ICMP
Wireshark Lap: ICMP
Wireshark Lap: ICMP
Wireshark: ICMP
Wireshark: ICMP
Wire Sharp IMCP & TraceRT Analysis
Wire Sharp IMCP & TraceRT Analysis
Ping - Wofford
Ping - Wofford
TCP/IP Network Administration, 2nd Edition
TCP/IP Network Administration, 2nd Edition
Lab Exercise – ICMP
Lab Exercise – ICMP
Download
advertisement