Covert Channel Software

Contents



1. CCEAP - Covert Channel Educational Analysis Protocol (2016)

The Covert Channel Educational Analysis Protocol (CCEAP) is a network protocol designed for teaching covert channels to professionals and students.

The protocol is explicitly vulnerable against several hiding patterns so that switching protocols while explaining hiding patterns is not necessary. The protocol's structure is simple and self-explanatory and its implementation is kept at a minimum level of code lines to make it especially accessible to students.

You can download the code here: https://github.com/cdpxe/CCEAP and the documentation is available here: https://github.com/cdpxe/CCEAP/tree/master/documentation.

Publications:
  • Currently under review: S. Wendzel and W. Mazurczyk: An Educational Network Protocol for Covert Channel Analysis Using Patterns (Poster)

2. vstt - ICMP, POP3 and plain-text tunnel via fifo/socket in/out (2006)


vstt (very strange tunneling tool) is a program written to tunnel TCP connections (you can also tunnel everything else with it as long as you can send/receive data via FIFOs). The key feature is that vstt is capable to tunnel the connection trough different protocols what makes it useful in nearly every situation that requires to bypass a firewall. vstt is for legal purposes only!


Key Features
  • blank TCP steam socket tunnels for IPv4 & IPv6 (98% done)
  • POP3 tunnel (hide data in POP3 requests) for IPv4 & IPv6 (92% done, already useful)
  • ICMP ping tunnel for IPv4 (95% done)
    • payload auto-fragmentation and re-assembling
    • re-send lost or damaged packets using an own (but slow) reliability protcol
  • accept input/output as TCP stream socket or via FIFO
Currently supported Platforms: i386 & amd64. Others may work, too.

Currently supported Operating Systems: OpenBSD (tested on 4.0-current), Linux 2.6 (tested on 2.6.18)

Documentation
 
You can find the documentation in the sub directory doc/ of the .tgz file in form of a .pdf file as well as in form of a .tex file.

The online documentation can be found here.

Download
 
You can download all released versions of vstt here: http://www.wendzel.de/dr.org/files/Projects/vstt/.

Open Tasks
  • Solaris port
  • find+fix the bug in the POP3 tunnel stuff that happens if you tunnel SSH over POP3 


3. phcct - protocol hopping covert channel tool (PoC, 2007)

phcct (protocol hopping covert channel tool) is a tiny and basic proof of concept implementation of a protocol hopping covert channel (cf. my publications). In short, a protocol hopping covert channel is able to signal covert information while switching utilized network protocols to stay hidden.

Key Features
  • randomized tunneling trough 3 different TCP protocols
Currently supported Platforms: i386 & amd64. Others may work too.

Currently supported Operating Systems: OpenBSD (tested on 4.2-current), Linux 2.6 (tested on 2.6.22.x)

Download
 
You can download all released versions of phcct here: http://www.wendzel.de/dr.org/files/Projects/phcct/.

Open Tasks
  • add encryption
  • add support for additional protocols
  • add a packet mixing mode
  • kernel based implementation
Publications:

    4. pct - protocol channel tool (PoC, 2008)

    pct (protocol channel tool) is a tiny and basic proof of concept implementation of a protocol channel. In short, a protocol channel signals covert information only by the use of an element of a set of protocols.

    Download
     
    You can download the PoC code here: http://www.wendzel.de/dr.org/files/Projects/pct/.

    Publications:


    5. pcaw - protocol channel-aware active warden (PoC, 2012)


    pcaw limits the efficiency of protocol channels (see above). In other words, it is an active warden. The code of pcaw is available on request via email.
    Publications: