Securebits Blog

Securebits -- Network Security Researches and Projects
« Evolution of SQL Injection AttacksPiping a Shell »

NTP Tunnel and Data Exfiltration (or Shell over NTP)

08/22/08

NTP Tunnel and Data Exfiltration (or Shell over NTP)

Permalink 07:47:32 am, Categories: tcp/ip

A protocol tunnel uses a particular protocol to tunnel data between two end points. The data can be encapsulated or encoded within the protocol payload so that a legitimate protocol communication takes place. Data Exfiltration is one of the usages of protocol tunnels; data Exfiltration refers to smuggling (sensitive) data out of a particular network or host. Such data can be files, network packets, etc. During the Exfiltration process, there is more traffic from inside to outside than there is from outside to inside.

There have been a number of ways to tunnel and Exfiltration data. For example, HTTP protocol can be used for such operation. Also, protocols like ICMP can be used to carry arbitrary data. An ICMP Echo request packet generated by a Windows machine carries the data “abcdefghijklmnopqrstuvwabcdefghi”. Another protocol used to tunnel and exfiltration data is DNS. DNS packets can carry alphanumeric encoded data as part of the hostnames (e.g. abcdefghijklmnopqrstuvwxyz.destination.com)

I was thinking recently about the NTP protocol and how it can also be used to tunnel data. An NTP packet contains four 4 64-bit timestamp fields; each field is in the following format:

     0         1         2         3   
     01234567890123456789012345678901 
     +++++++++++++++++++++++++++++++++
     |         Integer Part          |
     +++++++++++++++++++++++++++++++++
     |         Fraction Part         |
     +++++++++++++++++++++++++++++++++

According to RFC 958, “NTP timestamps are represented as a 64-bit fixed-point number, in seconds relative to 0000 UT on 1 January 1900. The integer part is in the first 32 bits and the fraction part in the last 32 bits, as shown in the following diagram.” This means that every field can range from 0x0000000000000000 to 0xFFFFFFFFFFFFFFFF.

The only drawback here is that one packet can carry up to 32 bytes of data which is too little to transfer huge chunk of data. However, this approach can be used to carry small, yet sensitive, data such as shell commands. For example, an attacker can have an interactive shell transferring and executing commands on the compromised system using NTP Tunnel.

For example, to send the command “ls –l”, it can be inserted in a timestamp field as follows:

         00 6c 73 20 2d 6c 00 00

Which will be interpreted as:

         Apr 29, 2036 12:44:16.1774 UTC
PermalinkPermalinkLeave a comment »

No feedback yet

Leave a comment


Your email address will not be revealed on this site.

Your URL will be displayed.
(Line breaks become <br />)
(Name, email & website)
(Allow users to contact you through a message form (your email will not be revealed.)
January 2009
Sun Mon Tue Wed Thu Fri Sat
 << <   > >>
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31

Securebits Blog

This is the Blog of Securebits Think-Tank. It is maintained by AR Samhuri. The blog is about topics like Network Security, Penetration Testing, TCP/IP Attacks, Security R&D, Security Tools, etc.

Search




Categories

Tag cloud

arp arp poisoning conferences dhcp ntp tunnel papers poisoning port scanners presentations protocol tunnels reverse shell sniffing spoofing tcp/ip traffic interception vista vulnerability scanners

XML Feeds

What is RSS?
powered by b2evolution