You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
Covert packet transmission - Embed messages or files in UDP/TCP/ICMP headers
Background
Packet-agent is designed to transmit a secret message or file via TCP/UDP/ICMP, by concealing encrypted data within the protocol header, while transmitting the packet with no visible data on the network.
Packet-agent will transmit innocuous looking packets with no data, while encupsulating your message within a series of headers.
Uses
Whistleblowing
While working for[insert evil company/government here] you need to send a top-secret file to a trusted destination, while avoiding the eyes of the network sysadmin, packet-sniffers, deep-packet inspection and traffic sensors on the local network.
IOT device
An important IOT device requires a network connection to send a status to a remote host, however the firewall on the WAN is restrictive, deep-packet inspection is active and blocking normal traffic.
Education
After having a major nose-bleed researching with the latest Javascript framework and going mad after the last code-review for your teams .net/PHP application, you yearn to get your hands dirty creating raw TCP/UDP packets, messing with IP protocols, and having fun with low-level networking.
Methods
Source-port UDP
Embed a message by using the UDP source-port to encapsulate data with 2-bytes per connection.
Example
Running the Server
Messages displayed to STDOUT
$ go run packetagent-server.go -privkey ./mykey.pemListening on port :8053 (UDP)
Export to a directory
Messages received are exported to the specified directory, saved by the MD5 sum of the receiving data.
$ go run packetagent-server.go -privkey ./mykey.pem -export ./data/Listening on port :8053 (UDP)127.0.0.1 => Writing to ./data/90d7e87ab11a7cc3257e0057c4e5cb8a
Server Usage
-export string Export to a specified directory (./data) -port string Listen on specified port (UDP) (default ":8053") -privkey string Decrypt data using private RSA key (optional) -verbose Flag for verbose output
Client - Send a message
Ceaser, famously used an elementaryencryption format to relay messages - "Attack at dawn" is one such famous message sent.
$ go run packetagent-client.go -message "Attack at dawn" -pubkey mykey.pubTransmitting message => Attack at dawnDialing ☎️ => 127.0.0.1:8053 122 / 204 [========>------------------------] 59.80% 1s 204 / 204 [=================================] 100.00% 0s
-broadcast Broadcast to subnet (UDP only) -file string Send a file (<32kb recommended) -message string Message to transmit (default "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=") -port int Connect on specified port (UDP) (default 8053) -pubkey string Public RSA key to encrypt data (optional) -server string Connect to specified server (localhost) (default "127.0.0.1") -sleep int Pause for X milliseconds between packets (1ms) (default 1) -source string Source IP address -verbose Flag for verbose output
tcpdump
To test, capture all UDP packets on localhost - Note the data length is 0, headers are only transmitted with our message encrypted using the specified public/private-key.
$ tcpdump -i lo0 udp20:53:44.708462 IP localhost.35331 > localhost.senomix02: UDP, length 020:53:44.709647 IP localhost.21268 > localhost.senomix02: UDP, length 020:53:44.711355 IP localhost.36172 > localhost.senomix02: UDP, length 020:53:44.712985 IP localhost.12937 > localhost.senomix02: UDP, length 020:53:44.714733 IP localhost.41653 > localhost.senomix02: UDP, length 0...204 packets captured204 packets received by filter
How it works
Benefits
Cons
Source address
Coming soon. Send packets with a forged source addresses, while concelling a message within the source address.
TCP ID header
Coming soon. Embedding data within the TCP ID header.
ICMP
Coming soon. Embedding data within the ICMP header.
Encryption
Optionally messages can be encrypted using a specified RSA public key. Since the purpose of PacketAgent is to prevent data sent over the network and prevent the server from sending data back to the client, TLS is not used, rather PacketAgent will encrypt messages by:
The client will generate a Shared-key (AES-256), encrypting this using the specified RSA public-key
The message payload is encrypted using the Shared-key generated
The server receives the message and decrypts the Shared-key using the specified RSA key, and the remaining payload is decrypted from the shared-key.
[AES-256 Shared Key encrypted using RSA public-key][Payload encrypted with Shared-key]
Credits
Logo ANSI art made by Green Hornet (1996)
Inspiration for encapulating messages via the TCP ID header from Craig H. Rowland (covert.c)
