Steganographic communication systems subvert common expectations for how network based communication is supposed to work and offer surprising advantages to computer security enthusiasts. Network protocols typically store data within the 'payload section' of a packet. However, utilizing IP, TCP, UDP, and ICMP headers for what would otherwise be 'in band' data transmission yields tangible benefits, including resistance to detection and enhanced privacy. The tool developed during the research for this talk sends innocent looking data to a server while hiding its true datagrams where most analysts will not be able to find it. While in ?TCP mode?, it submits an ?in band? HTTP GET request with its real data hidden within pseudo-random values found in IP headers. ?ICMP mode? gives users an ICMP based control channel that is nearly identical to ordinary ping requests that users might initiate from a command line. In both of these cases, monitoring software will see traffic that mimics common network transmissions. These techniques also offer an added benefit of allowing remote control and data transmissions that bypass access control list security protections. Even if evasion isn?t a primary goal, network based steganography can enable control channels over ICMP or by using TCP ports that are already listening for otherwise legitimate purposes. This talk will provide real world guidance for the creation of these systems, including lessons learned and practical applications.

Back to GrrCON 2016 video list