Dissembling Ferret is a Exploiting covert channels in the TCP/IP protocol suite for blue teams to validate security assumptions and vendor claims with respect to defensive technologies.
– Firewall Tests
* The test data we’ll be sending will be fake:
+ social security numbers
+ credit card numbers (name? security code?)
– Covert Channel Tests
* A plus sign next to the item means the code has been written for the test.
+ IP Identification field
+ This likely will NOT work
+ Initial sequence numbers
+ This should slip through the cracks
+ Bounce ACK sequence numbers
+ This spoofs the source address (reveals our server)
+ Smuggle data in DNS packets
+ If we use a rogue DNS server then we will likely be detected.
+-+ Spoof source with destination of 220.127.116.11.
+ Smuggle data over HTTP
+ This method is louder than previous methods but can still be obscure and difficult to detect.
– Ipid – RFC6864 – Updated Specification of the IPv4 ID Field.
– Protocol Headers Test with IP, TCP and DNS.
– Syn Packet Scans: SYN packets various applications send when initiating and establishing new connections.
+ add an end-of-message indicator, ttl=60
– add try, except where appropriate
– add mode [demo, live]
-+- demo mode will send packets immediately
-+- live mode will send 1 packet per second 3 times, once a minute (adjustable)???
– add bounce functionality
-+- i.e. bounce SYN packet off an active web server check ACK seq number
– Add dummy packet data to mimic real traffic. (should we bother?)
– Add TODOs to the issue queue on github.
– Add more tests, other than convert TCP/IP channel
+ python 2.7.x
+ Python Scapy
+ Python Netifaces
Use and Download from source:
git clone https://github.com/clayball/Dissembling-Ferret && cd Dissembling-Ferret
Be sure all Dependencies has been install
Create packet: typing on you terminal: sudo scapy
p=IP(src='192.168.1.210', dst='127.0.0.1')/TCP(dport=80, flags='S', seq=37337)
Open shell terminal for Watch for SYN packets on the lo interface with window size greater than 8188:
sudo tcpdump -nxxv -i lo 'tcp == 2 && tcp[16:4] > 8188'
in another shell: