Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/widgets/model/_widget.class.php on line 451
Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/inc/widgets/model/_widget.class.php on line 547
| « Evolution of SQL Injection Attacks | Piping a Shell » |
NTP Tunnel and Data Exfiltration (or Shell over NTP)
08/22/08
07:47:32 am, Categories: tcp/ip A protocol tunnel uses a particular protocol to tunnel data between two end points. The data can be encapsulated or encoded within the protocol payload so that a legitimate protocol communication takes place. Data Exfiltration is one of the usages of protocol tunnels; data Exfiltration refers to smuggling (sensitive) data out of a particular network or host. Such data can be files, network packets, etc. During the Exfiltration process, there is more traffic from inside to outside than there is from outside to inside.
There have been a number of ways to tunnel and Exfiltration data. For example, HTTP protocol can be used for such operation. Also, protocols like ICMP can be used to carry arbitrary data. An ICMP Echo request packet generated by a Windows machine carries the data “abcdefghijklmnopqrstuvwabcdefghi”. Another protocol used to tunnel and exfiltration data is DNS. DNS packets can carry alphanumeric encoded data as part of the hostnames (e.g. abcdefghijklmnopqrstuvwxyz.destination.com)
I was thinking recently about the NTP protocol and how it can also be used to tunnel data. An NTP packet contains four 4 64-bit timestamp fields; each field is in the following format:
0 1 2 3
01234567890123456789012345678901
+++++++++++++++++++++++++++++++++
| Integer Part |
+++++++++++++++++++++++++++++++++
| Fraction Part |
+++++++++++++++++++++++++++++++++
According to RFC 958, “NTP timestamps are represented as a 64-bit fixed-point number, in seconds relative to 0000 UT on 1 January 1900. The integer part is in the first 32 bits and the fraction part in the last 32 bits, as shown in the following diagram.” This means that every field can range from 0x0000000000000000 to 0xFFFFFFFFFFFFFFFF.
The only drawback here is that one packet can carry up to 32 bytes of data which is too little to transfer huge chunk of data. However, this approach can be used to carry small, yet sensitive, data such as shell commands. For example, an attacker can have an interactive shell transferring and executing commands on the compromised system using NTP Tunnel.
For example, to send the command “ls –l”, it can be inserted in a timestamp field as follows:
00 6c 73 20 2d 6c 00 00
Which will be interpreted as:
Apr 29, 2036 12:44:16.1774 UTC
Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/skins/_item_feedback.inc.php on line 156
Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/plugins/_calendar.plugin.php on line 190
Deprecated: Assigning the return value of new by reference is deprecated in /home/asamhuri/public_html/blog/plugins/_calendar.plugin.php on line 905
XML Feeds
