Dissembling Ferret - Exploiting covert channels in the TCP/IP protocol suite.

Dissembling Ferret – Exploiting covert channels in the TCP/IP protocol suite.

Dissembling Ferret is a Exploiting covert channels in the TCP/IP protocol suite for blue teams to validate security assumptions and vendor claims with respect to defensive technologies.

Start server

Start server

Features:
– Firewall Tests
* The test data we’ll be sending will be fake:
+ social security numbers
+ credit card numbers (name? security code?)
– Covert Channel Tests
* A plus sign next to the item means the code has been written for the test.
+ IP Identification field
+ This likely will NOT work
+ Initial sequence numbers
+ This should slip through the cracks
+ Bounce ACK sequence numbers
+ This spoofs the source address (reveals our server)
+ Smuggle data in DNS packets
+ If we use a rogue DNS server then we will likely be detected.
+-+ Spoof source with destination of 8.8.8.8.
+ Smuggle data over HTTP
+ This method is louder than previous methods but can still be obscure and difficult to detect.
– Ipid – RFC6864 – Updated Specification of the IPv4 ID Field.
– Protocol Headers Test with IP, TCP and DNS.
– Syn Packet Scans: SYN packets various applications send when initiating and establishing new connections.

disassembling packet

disassembling packet

TODO:
+ add an end-of-message indicator, ttl=60
– add try, except where appropriate
– add mode [demo, live]
-+- demo mode will send packets immediately
-+- live mode will send 1 packet per second 3 times, once a minute (adjustable)???
– add bounce functionality
-+- i.e. bounce SYN packet off an active web server check ACK seq number
– Add dummy packet data to mimic real traffic. (should we bother?)
– Add TODOs to the issue queue on github.
– Add more tests, other than convert TCP/IP channel

create packet using scapy

create packet using scapy

Dependencies:
+ python 2.7.x
+ Python Scapy
+ Python Netifaces

Use and Download from source:

Souce: https://github.com/clayball