Covert Channel Software


1. CCEAP - Covert Channel Educational Analysis Protocol (2016)

The Covert Channel Educational Analysis Protocol (CCEAP) is a network protocol designed for teaching covert channels to professionals and students.

The protocol is explicitly vulnerable against several hiding patterns so that switching protocols while explaining hiding patterns is not necessary. The protocol's structure is simple and self-explanatory and its implementation is kept at a minimum level of code lines to make it especially accessible to students.

You can download the code here: and the documentation is available here:

  • S. Wendzel and W. Mazurczyk: Poster, An Educational Network Protocol for Covert Channel Analysis Using Patterns, in Proc. 23rd ACM Conference on Computer and Communications Security (CCS), 2016.

2. NEL Tool (2017)

In Network Steganography research, a covert channel is a stealthy communication channel, see (Mazurczyk et al., 2016) for an introduction. Some covert channels are capable of performing a so-called Network Environment Learning phase (or: NEL phase, see (Yarochkin et al., 2008) and (Wendzel, 2012). Such NEL-capable covert channels

  • can determine how exactly data can be covertly exchanged between sender and receiver, and
  • which types stealthy data transmissions will be blocked/modified by an active warden (e.g. a firewall or a traffic normalizer).
For instance, certain network packets of the covert channel may be blocked by an active warden as they set reserved header bits to '1' (a typical filter rule of an active warden could simply clear the bit to prevent a covert channel).

Although the NEL phase was originally discussed in academia about ten years ago, no implementation was made available by other researchers. With NEL, we provide the first public implementation of a NEL phase on the basis of scapy and libpcap. NEL is written in C and runs best under Linux.

An initial academic publication for this NEL tool is currently under review. More information about the NEL phase and our tool will be provided in the coming months.

References and own publications:

3. vstt - ICMP, POP3 and plain-text tunnel via fifo/socket in/out (2006)

vstt (very strange tunneling tool) is a program written to tunnel TCP connections (you can also tunnel everything else with it as long as you can send/receive data via FIFOs). The key feature is that vstt is capable to tunnel the connection trough different protocols what makes it useful in nearly every situation that requires to bypass a firewall. vstt is for legal purposes only!

Key Features
  • blank TCP steam socket tunnels for IPv4 & IPv6 (98% done)
  • POP3 tunnel (hide data in POP3 requests) for IPv4 & IPv6 (92% done, already useful)
  • ICMP ping tunnel for IPv4 (95% done)
    • payload auto-fragmentation and re-assembling
    • re-send lost or damaged packets using an own (but slow) reliability protcol
  • accept input/output as TCP stream socket or via FIFO
Currently supported Platforms: i386 & amd64. Others may work, too.

Currently supported Operating Systems: OpenBSD (tested on 4.0-current), Linux 2.6 (tested on 2.6.18)

You can find the documentation in the sub directory doc/ of the .tgz file in form of a .pdf file as well as in form of a .tex file.

The online documentation can be found here.

You can download all released versions of vstt here:

Open Tasks
  • Solaris port
  • find+fix the bug in the POP3 tunnel stuff that happens if you tunnel SSH over POP3 

4. phcct - protocol hopping covert channel tool (PoC, 2007)

phcct (protocol hopping covert channel tool) is a tiny and basic proof of concept implementation of a protocol hopping covert channel (cf. my publications). In short, a protocol hopping covert channel is able to signal covert information while switching utilized network protocols to stay hidden.

Key Features
  • randomized tunneling trough 3 different TCP protocols (HTTP, FTP-Data, plain TCP stream payload)
Currently supported Platforms: i386 & amd64. Others may work too.

Currently supported Operating Systems: OpenBSD (tested on 4.2-current), Linux 2.6 (tested on 2.6.22.x)

You can download all released versions of phcct here:

Open Tasks
  • add encryption
  • add support for additional protocols
  • add a packet mixing mode
  • kernel based implementation

    5. pct - protocol channel tool (PoC, 2008)

    pct (protocol channel tool) is a tiny and basic proof of concept implementation of a protocol channel. In short, a protocol channel signals covert information only by the use of an element of a set of protocols. For instance, if a covert sender can transfer both, ICMP and UDP packets, then by sending an UDP packet, he may transfer a '0' bit while by sending an ICMP packet he may transfer a '1' bit. This way, a covert message can be transferred that is encoded in the form of a sequence of packets of certain network protocols.

    You can download the proof of concept tool `pct' here: pct uses ICMP and ARP to transfer hidden data.


    6. pcaw - protocol channel-aware active warden (PoC, 2012)

    pcaw limits the efficiency of protocol channels (see above). In other words, it is an active warden. The code of pcaw is available on request via email.