Re: Establish persistant outbound connection for covert application
From: Jens Knoell (jens_at_surefoot.com)
To: firstname.lastname@example.org Date: Wed, 24 Aug 2005 16:32:43 -0600
reply off-list since I'd rather keep this from prying eyes and avoid the usual
ethical discussions that often ensue on this topic.
On Tuesday 23 August 2005 16:17, David Siles <DS> wrote:
> Hello all,
> I am looking for some additional ideas for an application we are
> trying to use for a law enforcement application.
> We are currently using a product that allows us to install a software
> shim on a suspect's PC and then connect into the PC at any given time
> to perform forensic analysis. While this works great, we consistently
> run into the problem of personal firewalls, NAT devices, SP2, and
> other ACLs that prevent us from connecting into the suspect machine.
To get around this is anything but trivial. Your application can try
piggybacking on "legit" traffic or try and enumerate the firewall to find
open outbound ports. As you probably know there often are ports open for
If you do prefer inbound connections you'd need to enumerate the suspects
network settings from the inside (i.e. find out if UPnP NAT is available on
the router, which firewalls are running etc.) and then communicate its
findings back to a server or human somewhere.
Host-based firewalls can often easily be defeated by adding a new service to
the actual network layer. This is operating system dependent of course. I'll
be damned if I remember what MS calls this, but it's in essence the same
network hook a firewall hooks into. Similar hooks exist in most unix-like
products except that they're more difficult to hide there.
Piercing NAT is easier nowadays. Most routers support Universal Plug&Play for
NAT and thus allow you to port forward any given port to your target machine.
Enterprise level routers don't commonly support this feature or have it turned
off. Piercing these can IMO only be done properly with a reverse connection.
> While we usually have the suspect full cooperation in the monitoring
> efforts and we can initally configure their network and/or PC
> configuration to allow this communication things get changed. Also we
> run into the problem with dynamic addressing changing on us, which can
> be a pain to keep track off unless we install some type of dyn dns
If you have the suspects cooperation it might be easier for you to just drop
in a "spybox". I use these every now and then, and they work like this:
- Small form factor PC running linux on it
- They get their IP dynamically if possible. If DHCP fails they analyze
passing network traffic and grab their IP config based on a "best guess"
- They "announce" themselves using DynDNS (I have my own DynDNS server for
- Additionally they periodically try and connect back to my "monitoring
machine" on a few standard ports (53,25,110,143,80,435)
- They have the usual packet sniffing and ARP poisoning tools installed, just
- They do have 2 network interfaces in case I want to chain them between a PC
and a switch
- They also have a wireless interface so I can hook into the machine if I am
just close enough to them
With these I can analyze or even record all network traffic remotely without
having to install anything on the target machine. To some degree I can
usually get onto some harddrives too, if the sniffer manages to crack a few
passwords. The killer is the WLAN interface - I can get to it anytime I want,
no matter the firewalls in the target network.
> I am looking for something that will connect outbound, preferable
> covertly as a background/hidden process (e.g. fooing a netcat/cryptcat
> connection) to awaiting connection server or service for redirection.
> SSH may be the best process here, but I don't like having to open an
> SSH tunnel for this. The application we are using is already running
> encrypted traffic, so adding another layer of encryption also slows it
Hiding traffic is difficult at best. You can encapsulate your traffic in ICMP
packets if you want, or simply in an unused protocol (PPTP or IPsec for
example) - but again, to a savvy user that'll be a red flag that something is
Essentially you cannot effectively hide network traffic from a cautious admin.
You can disguise it as say http traffic, but even then it'll trigger if it's
at unusual hours.
> The capability to make this application call home will be of great
> benefit to many in the LEO community and if your interested in what we
> are doing, please feel free to contact me offlist.
Making it call home is relatively easy, depending on your budget. If in doubt,
add a cellphone interface and hook into that. Don't just focus on
transferring the information you're after over the suspects internet access -
focus on other means of getting your data. WLAN interfaces, cellphone
interfaces, even HAM Radio interfaces would work. It all depends on how much
you need to hide the surveillance from the owner of that PC, and how far you
want to depend on the PC running a specific OS (Windows vs. Mac vs. BSD vs.
If you'd like to discuss further details please feel free to contact me
-- With all the fancy scientists in the world, why can't they just once build a nuclear balm?