Covert Channel and Tunneling (Proof of Concept) Tools

Here you can find some (older) covert channel proof of concept or tunneling tools. If you are interested in my covert channel research, take a look in the list of my publications.

||| Current release: ---, Current git version: --- |||

Like a network IDS, OpenCCD aims to detect covert channels. With OpenCCD, covert channel based data leakage will become detectable. The project just started and you can find more information on openccd.org.

||| Current release: 0.5.0, Current SVN/CVS version: --- |||

vstt (very strange tunneling tool) is a program you can use to tunnel tcp connections with (you can also tunnel everything else with it, if you can send/receive it by FIFOs). The key feature is, that vstt can tunnel the connection trough different protocols, what makes it useful in nearly every situation. It's also useful to bypass firewalls in security checks. This program is for legal purposes only!

key features

• blank TCP steam socket tunnels for IPv4 & IPv6- 98% done
• POP3 tunnel (hide data in POP3 requests) for IPv4 & IPv6 - 92% done, already useful
• ICMP Ping tunnel for IPv4 - 95% done
  • cutting big packets in small packets and re-assemble them
  • re-send lost or damaged packets using an own (but slow) reliability protcol
• accept input/output as tcp streamsocket or by a FIFO

Currently supported Platforms: i386 & amd64. Others may work too.
Currently supported Operating Systems: OpenBSD (tested on 4.0-current), Linux 2.6 (tested on 2.6.18)

Documentation

Full documentation: You can find the documentation in the subdirectory doc/ in the .tgz file in form of a .pdf file and as .tex file.

Online documentation: Can be found here.

Download

You can download all released versions of vstt here: http://www.wendzel.de/dr.org/files/Projects/vstt/.

TODO list

• Port it to Solaris
• Port it to big endian platforms
• find+fix the bug in the POP3 tunnel stuff that happens if you tunnel SSH over POP3
• implement DNS tunnels
• implement ICMPv6 tunnels
• (strong) encryption

phcct (protocol hopping covert channel tool) is a tiny and basic proof of concept implementation of a protocol hopping covert channel (see publication and research sections). In short: a protocol hopping covert channel is able to signal covert information while switching protocols to stay hidden.

key features

• randomized tunneling trough 3 different TCP protocols
• it is cool ;)

Currently supported Platforms: i386 & amd64. Others may work too.
Currently supported Operating Systems: OpenBSD (tested on 4.2-current), Linux 2.6 (tested on 2.6.22.x)
Download
You can download all released versions of phcct here: http://www.wendzel.de/dr.org/files/Projects/phcct/.

TODO list

• add encryption
• add more protocols
• add a packet mixing mode
• kernel based implementation

pct (protocol channel tool) is a tiny and basic proof of concept implementation of a protocol channel (see publication and research sections). In short: A protocol channel signals covert information only by the use of a element of a set of protocols.

Download

You can download the PoC code here: http://www.wendzel.de/dr.org/files/Projects/pct/.