Definitions
Trojans:A program that appears to be a legitimate program but in fact performs some malicious functions.
Backdoor: A secret entry point to the system that allows someone who is aware of the backdoor gain unauthorized access.
Viruses: A piece of malicious code attached a program that replicates by attaching itself to other programs.
Worm: A standalone program that propagates copies of itself across the network
Example
Covert channels are important for hiding activity from system owner when attacker communicate via his backdoor. Covert channel is a communication channel in a way that was not intended.
There are lots of reason for using covert channel but as an ethical hacker you should know that covert channel can be used directly communicating with the target to continue maintaining server or launching attack against other system via target. In this way attacker can hide himself from second target.
I am going to show a linux utiliy called ptunnel – tunnel TCP connections over ICMP echo request/reply packets.
From its man page:
ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets,
commonly known as ping requests and replies. At first glance, this might seem like a rather useless thing to do, but it can actually come
in handy in some cases. The following example illustrates the main motivation in creating ptunnel:
Setting: You’re on the go, and stumble across an open wireless network. The network gives you an IP address, but won’t let you send TCP or UDP
packets out to the rest of the internet, for instance to check your mail. What to do? By chance, you discover that the network will allow
you to ping any computer on the rest of the internet. With ptunnel, you can utilize this feature to check your mail, or do other things that
require TCP.
I believe the scenario author discussed was tricky since using a service you are not authorized to use is illegal. However one can argue that since ICMP is allowed by network, there is nothing illegal. My suggestion just play safe and not try in that scenario. Instead use this tool in your home network.
As an ethical hacker we footprint a system, scan it, enumerate users, and crack passwords, then got an access. We elevated privileged access and plant some rootkits. We now want to attack another server with ssh connection, however we want to cover ourselves. We are going to use ptunnel on the already compromised target so in this way system owner will only see lots of ICMP echo request and reply packets instead of actual commands we are running to communicate with the system. Consequently we will be hiding our activity from him/her. We will be launching attack against another server.
Installation
On a debian based system you can install ptunnel with this command:
apt-get install ptunnel
Note: We need to install ptunnel on the our computer (client computer) and also on the proxy computer (comprimisedTarget)
Action
On the compromisedTarget run ptunnel.
./ptunnel
Here compromisedTarget is the target we have access (already hacked). The second target is the one we want to attack.
On your local computer run following command:
sudo compromisedTarget -p 12345 -da secondTarget -dp 22
We are attacking ssh server of the secondTarget to gain access. There are lots of automated tools like Hydra, brutessh, sshater. You can configure them for a brute force attack. For simplicity I am using ssh command for manual tries to guess the password.
ssh -p 12345 localhost
Now we are sending our ssh packets through the ICMP tunnel that is established with the compromisedTarget. The owner of the compromisedTarget will see lots of ICMP echo request/reply packets but they are part of our ssh attack.