README ¶
PacketAgent
Covert packet transmission - Embed messages or files in UDP/TCP/ICMP headers
Background
Packet-agent is designed to transmit a secret message or file via TCP/UDP/ICMP, by concealing encrypted data within the protocol header, while transmitting the packet with no visible data on the network.
Packet-agent will transmit innocuous looking packets with no data, while encupsulating your message within a series of headers.
Uses
- Whistleblowing
While working for [insert evil company/government here] you need to send a top-secret file to a trusted destination, while avoiding the eyes of the network sysadmin, packet-sniffers, deep-packet inspection and traffic sensors on the local network.
- IOT device
An important IOT device requires a network connection to send a status to a remote host, however the firewall on the WAN is restrictive, deep-packet inspection is active and blocking normal traffic.
- Education
After having a major nose-bleed researching with the latest Javascript framework and going mad after the last code-review for your teams .net/PHP application, you yearn to get your hands dirty creating raw TCP/UDP packets, messing with IP protocols, and having fun with low-level networking.
Methods
Source-port UDP
Embed a message by using the UDP source-port to encapsulate data with 2-bytes per connection.
Example
Running the Server
Messages displayed to STDOUT
$ go run packetagent-server.go -privkey ./mykey.pem
Listening on port :8053 (UDP)
Export to a directory
Messages received are exported to the specified directory, saved by the MD5 sum of the receiving data.
$ go run packetagent-server.go -privkey ./mykey.pem -export ./data/
Listening on port :8053 (UDP)
127.0.0.1 => Writing to ./data/90d7e87ab11a7cc3257e0057c4e5cb8a
Server Usage
-export string
Export to a specified directory (./data)
-port string
Listen on specified port (UDP) (default ":8053")
-privkey string
Decrypt data using private RSA key (optional)
-verbose
Flag for verbose output
Client - Send a message
Ceaser, famously used an elementary encryption format to relay messages - "Attack at dawn" is one such famous message sent.
$ go run packetagent-client.go -message "Attack at dawn" -pubkey mykey.pub
Transmitting message => Attack at dawn
Dialing ☎️ => 127.0.0.1:8053
122 / 204 [========>------------------------] 59.80% 1s
204 / 204 [=================================] 100.00% 0s
Client - Send a file
Files can be sent, recommended filesize <32kb.
$ go run packetagent-client.go -file ~/Desktop/secret.pdf -pubkey mykey.pub
Sending file => ~/Desktop/secret.pdf ( 4226 ) bytes on disk.
Dialing ☎️ => 127.0.0.1 : 8053
1111 / 3958 [========>----------------------] 28.07% 4s
3958 / 3958 [===============================] 100.00% 6s
Client usage
-broadcast
Broadcast to subnet (UDP only)
-file string
Send a file (<32kb recommended)
-message string
Message to transmit (default "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=")
-port int
Connect on specified port (UDP) (default 8053)
-pubkey string
Public RSA key to encrypt data (optional)
-server string
Connect to specified server (localhost) (default "127.0.0.1")
-sleep int
Pause for X milliseconds between packets (1ms) (default 1)
-source string
Source IP address
-verbose
Flag for verbose output
tcpdump
To test, capture all UDP packets on localhost - Note the data length is 0, headers are only transmitted with our message encrypted using the specified public/private-key.
$ tcpdump -i lo0 udp
20:53:44.708462 IP localhost.35331 > localhost.senomix02: UDP, length 0
20:53:44.709647 IP localhost.21268 > localhost.senomix02: UDP, length 0
20:53:44.711355 IP localhost.36172 > localhost.senomix02: UDP, length 0
20:53:44.712985 IP localhost.12937 > localhost.senomix02: UDP, length 0
20:53:44.714733 IP localhost.41653 > localhost.senomix02: UDP, length 0
...
204 packets captured
204 packets received by filter
How it works
Benefits
Cons
Source address
Coming soon. Send packets with a forged source addresses, while concelling a message within the source address.
TCP ID header
Coming soon. Embedding data within the TCP ID header.
ICMP
Coming soon. Embedding data within the ICMP header.
Encryption
Optionally messages can be encrypted using a specified RSA public key. Since the purpose of PacketAgent is to prevent data sent over the network and prevent the server from sending data back to the client, TLS is not used, rather PacketAgent will encrypt messages by:
-
The client will generate a Shared-key (AES-256), encrypting this using the specified RSA public-key
-
The message payload is encrypted using the Shared-key generated
-
The server receives the message and decrypts the Shared-key using the specified RSA key, and the remaining payload is decrypted from the shared-key.
[AES-256 Shared Key encrypted using RSA public-key][Payload encrypted with Shared-key]
Credits
- Logo ANSI art made by Green Hornet (1996)
- Inspiration for encapulating messages via the TCP ID header from Craig H. Rowland (covert.c)
| | _ _
____ _____ ____| | _ _____ _| |_ _____ _____ ____ _____ ____ _| |_
| _ \(____ |/ ___) |_/ ) ___ (_ _|_____|____ |/ _ | ___ | _ (_ _)
| |_| / ___ ( (___| _ (| ____| | |_ / ___ ( (_| | ____| | | || |_
| __/\_____|\____)_| \_)_____) \__) \_____|\___ |_____)_| |_| \__)
|_| (_____|
🕵
Documentation ¶
There is no documentation for this package.