Re: Establish persistant outbound connection for covert application

From: Jens Knoell (
Date: 08/25/05

  • Next message: Ansgar -59cobalt- Wiechers: "Re: Prevent use of Open Share"
    Date: Wed, 24 Aug 2005 16:32:43 -0600

    Hi David

    reply off-list since I'd rather keep this from prying eyes and avoid the usual
    ethical discussions that often ensue on this topic.

    On Tuesday 23 August 2005 16:17, David Siles <DS> wrote:
    > Hello all,
    > I am looking for some additional ideas for an application we are
    > trying to use for a law enforcement application.
    > We are currently using a product that allows us to install a software
    > shim on a suspect's PC and then connect into the PC at any given time
    > to perform forensic analysis. While this works great, we consistently
    > run into the problem of personal firewalls, NAT devices, SP2, and
    > other ACLs that prevent us from connecting into the suspect machine.

    To get around this is anything but trivial. Your application can try
    piggybacking on "legit" traffic or try and enumerate the firewall to find
    open outbound ports. As you probably know there often are ports open for
    external communication.

    If you do prefer inbound connections you'd need to enumerate the suspects
    network settings from the inside (i.e. find out if UPnP NAT is available on
    the router, which firewalls are running etc.) and then communicate its
    findings back to a server or human somewhere.

    Host-based firewalls can often easily be defeated by adding a new service to
    the actual network layer. This is operating system dependent of course. I'll
    be damned if I remember what MS calls this, but it's in essence the same
    network hook a firewall hooks into. Similar hooks exist in most unix-like
    products except that they're more difficult to hide there.

    A few good pointers in that particular direction: - BackStealth Firewall circumvention - Firewalls: Made of straw?

    Piercing NAT is easier nowadays. Most routers support Universal Plug&Play for
    NAT and thus allow you to port forward any given port to your target machine.

    Enterprise level routers don't commonly support this feature or have it turned
    off. Piercing these can IMO only be done properly with a reverse connection.

    > While we usually have the suspect full cooperation in the monitoring
    > efforts and we can initally configure their network and/or PC
    > configuration to allow this communication things get changed. Also we
    > run into the problem with dynamic addressing changing on us, which can
    > be a pain to keep track off unless we install some type of dyn dns
    > solution.

    If you have the suspects cooperation it might be easier for you to just drop
    in a "spybox". I use these every now and then, and they work like this:
    - Small form factor PC running linux on it
    - They get their IP dynamically if possible. If DHCP fails they analyze
    passing network traffic and grab their IP config based on a "best guess"
    - They "announce" themselves using DynDNS (I have my own DynDNS server for
    - Additionally they periodically try and connect back to my "monitoring
    machine" on a few standard ports (53,25,110,143,80,435)
    - They have the usual packet sniffing and ARP poisoning tools installed, just
    in case
    - They do have 2 network interfaces in case I want to chain them between a PC
    and a switch
    - They also have a wireless interface so I can hook into the machine if I am
    just close enough to them

    With these I can analyze or even record all network traffic remotely without
    having to install anything on the target machine. To some degree I can
    usually get onto some harddrives too, if the sniffer manages to crack a few
    passwords. The killer is the WLAN interface - I can get to it anytime I want,
    no matter the firewalls in the target network.

    [...stuff snipped...]
    > I am looking for something that will connect outbound, preferable
    > covertly as a background/hidden process (e.g. fooing a netcat/cryptcat
    > connection) to awaiting connection server or service for redirection.
    > SSH may be the best process here, but I don't like having to open an
    > SSH tunnel for this. The application we are using is already running
    > encrypted traffic, so adding another layer of encryption also slows it
    > down.

    Hiding traffic is difficult at best. You can encapsulate your traffic in ICMP
    packets if you want, or simply in an unused protocol (PPTP or IPsec for
    example) - but again, to a savvy user that'll be a red flag that something is

    Essentially you cannot effectively hide network traffic from a cautious admin.
    You can disguise it as say http traffic, but even then it'll trigger if it's
    at unusual hours.

    > The capability to make this application call home will be of great
    > benefit to many in the LEO community and if your interested in what we
    > are doing, please feel free to contact me offlist.

    Making it call home is relatively easy, depending on your budget. If in doubt,
    add a cellphone interface and hook into that. Don't just focus on
    transferring the information you're after over the suspects internet access -
    focus on other means of getting your data. WLAN interfaces, cellphone
    interfaces, even HAM Radio interfaces would work. It all depends on how much
    you need to hide the surveillance from the owner of that PC, and how far you
    want to depend on the PC running a specific OS (Windows vs. Mac vs. BSD vs.

    If you'd like to discuss further details please feel free to contact me


    With all the fancy scientists in the world, why can't they just once
    build a nuclear balm?

  • Next message: Ansgar -59cobalt- Wiechers: "Re: Prevent use of Open Share"

    Relevant Pages

    • Re: How to save the Firewall Zone setup for wireless Interface setting
      ... Run YaST2 again, and setup the card to managed, start on boot, no usercontrol, ... no network manager, and save. ... # setting up a lot of interfaces. ... # Switch on/off debug messages for all network configuration stuff. ...
    • RE: [fw-wiz] Firewalls v. Router ACLs
      ... people to take in consideration in network design and layout. ... here and the old firewalls list often emphasized an approach that avoided ... The logging alert features alone turn this layer into a IDS as ... > An appropriately sized router will not have any performance problems. ...
    • [fw-wiz] IDS/IPS and LOGS
      ... nasty behavior is happening on your network (where your network is ... easily turn your IPS into a big denial of service attack. ... My guess is that most of the Worlds firewalls and IDS/IPS only have half ... I noticed that there is a big emphasis on log parsing while there should ...
    • Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)
      ... but today's firewalls let too much stuff back ... > why people feel they need to compromise. ... Last spring we completely re-engineered the network for a large school ... All these segments are set up on separate VLANs and communicate with each ...
    • Re: load balancing with a failover
      ... The tunnel interfaces have addresses ... from other network though ... Enter configuration commands, one per line. ... 1w0d: RT: delete subnet route to ...