I put together a quick little demo of covert channels over HTTP and why they can be not exactly easy to pick out when viewing network traffic. This is obviously a toy example and should not be taken as the end all to covert channels, an expert in the field will be able to pick this traffic out upon more in-depth analysis. The goal of this post is not to show how to be an expert in fooling people using covert channels, but to give a brief understanding as to why they can be difficult to detect and will hopefully give some insight into what may need to be investigated when looking for C2 in network traffic.
Here we can see the C2 server communicating with the “infected” client. The server when the webpage is being viewed responds with a basic HTML page, so upon initial investigation if view, it would not look suspicious.
Communications between the client and C2 server
For this, we are using the deprecated DNT (Do Not track) HTTP header to slip commands in, normally DNT supports the values [-1, 0, 1], however, for this example we are using the values [-1, 1, 2, 3, 4] to give commands to our “infected” client. A normal DNT header can be seen below in the example provided by Stack Overflow.
Example DNT header
We are using the Authorization Header as well to communicate to the client, in this example we are using the Basic Auth Header value ZmlsZTp0ZXN0Q2xpZW50LnR4dA== which when decoded back from base64 is file:testClient.txt. This is used to indicate to our client the file and path (in this case its in the same directory as the clients “malware”) that we wish to retrieve from our “infected” system. Upon response, the client will copy the contents of the file to a base64 string and send it back to the C2 server using the HTTP POST method. Shown below, we can see c2VjcmV0UGFzc3dvcmRJbmZvCg== which is the contents of our “secret file” in base64 format, containing the value secretPasswordInfo.
HTTP POST capture to the C2 server
Our basic auth header value decoded
Our file contents decoded
For an attacker, if this was a file of another format, converting from a base64 string back to a file isn’t too difficult of a task, allowing any file format to be exfiltrated this way. As stated, the goal of this post was not to show the best techniques to create covert channels and how you can sneakily exfiltrate sensitive data, it is to show how some basic web request techniques can be applied to hide C2 and exfiltration in plain sight, to give a better understanding of why you may need to perform more analysis on captured network traffic to better understand what exactly is going on.
I hope this was a fun topic for you all to investigate, if you’d like more details or have another topic you’d like covered let me know.