November 26th, 2003, 07:02 PM
Alright, I've come across a little programming/networking challenge while helping a friend out recently, so I'll cut right to it.
Develop a [hopefully simple] protocall/simple as possible program, in any self contained form to let two [basically default install] Windows 2k pro computers communicate over a network with the following restrictions (seems easy so far duh..):
- Done in unpriveleged user mode.
- No WinMessenger broadcasts, don't want every user on the network bothered with it.
- leave the smalles possibility of the hosts getting picked up by a port scan when listening(possibly only listen for short times)
- few as possible files to keep up with and no traces left behind.
As you've probably figured, I'm trying to communicate secretly on a network. All I'm trying to come up with is a way to do it with as high a degree of secrecy as possible. As you also might have guessed, this is for use on a school network... well, that's what he wants anyways. I'm just trying to think of a way to do it, I probably won't give it to him. You know, make him figure it out himself or something. Plus, I'd then like to just play around with detecting that exchange anyways, just for fun.
All I need is a concept, no source or anything, that's my problem if I ever actually feel like putting it together. I'll let you know if I think something up.
Edit: Also, the data stream is not important, duh, I'll just pop on some encryption or whatever if I'm worried about that, the biggest problem is a constantly listening port if you get my idea here.
November 26th, 2003, 10:35 PM
on both boxen:
nc -vv -n <remote> 10062
nc -p10062 -L
although i show port 10062 theres no good reason for that. if you want to avoid port scans you can bind nc to the interface in front of an existing service
that would be the basic set up anyway and there are many ways to imporove upon this.
as an example
echo start notepad commun.txt >commun.bat
start nc -L -p10063 -ecommun.bat
start nc -L -p10062 >>commun.txt
put this bat file on 2 floppy disks, one for each mach, along with a copy of Netcat
go to start>>run enter "a:\setup to start"
to send a msg from a cmd prompt:
nc <remote_mach> 100062 you'll get a blinking cursor
type you msg and enter then press 'ctrl+c' to close nc
enter nc <remote_mach> 100063
your msg will be opened by notepad on the remote mach
you could write a small program to automate this
you could also include the -d option so neither instance of nc will not open cmd boxs
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
November 27th, 2003, 05:40 AM
Hide encrypted data in the payload portion of an ICMP packet.
Quick google search returns:
Looks like someone beat me to it.
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
November 27th, 2003, 04:00 PM
Both options are good. Piggybacking the data in an ICMP (ping) packet will prevent the listener from being picked up by a portscan. Not alot of people will pick up on a bit more icmp traffic. So it's a bit more covert.
Netcat is probably easier to use. If you want some added protection against eavesdroppers you can always use cryptcat which is basicly netcat with the added option to encrypt the stream.
Experience is something you don't get until just after you need it.
November 27th, 2003, 04:23 PM
Take a peak at Loki, an app designed to hide data in ICMP packets.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
November 28th, 2003, 06:07 AM
yeah, nc is certainly a good straight forward option. First I'm checking out ICMP stuff though, and remember, this is Win2k we're talking about, not linux (man wouldn't that be nice/simple)
couldn't find mutch other than references as an exploit/backdoor took for loki, and I'm assuming it's *nix anyways. Right now I'm researching just putting data(maybe encrypted) in the data portion of a ICMP ping echo packet (ICMP message 0x8)
Found some interesting stuff:
Just change the char variable achReqData in ms_icmp.c and that changes the data sent(adjusting the respective length of course), it's usually just goofy stuff. Now I'm looking for something to listen for those sort's of things that can be run in unpriveledged user mode in win2k...
November 28th, 2003, 07:18 AM
Sorry, wouldn't let me attach something to an edit...
Just some screen captures of the data going across the network, notice the data segment of the ECHO and REPLY packets. It works quite nicely, just need to get something to listen for it... outside of the kernel of win2k, cause that's obviously no good