examples

Cctt, "Covert Channel Tunneling Tool" - 顾名思义

    To run the client part, we use (no root account) : 
    cctt -c 111.222.1.1 -d 443 -f cl_example_3.cf \
      -t socket_http_proxy_encode -a &

  We now configure our browser to use 127.0.0.1:4280 as the http proxy  and  our
  HTTP requests to the remote Web server (including its vhosts on  the  same  IP
  address) will be sent through the 'encoded' CCTT channel. 

================================================================================

 IV) Use the CCTT client only to get the Proxy Chain functionality

  A] Local network scheme

  Another example with the I) network scheme but we will  stress  out  the  idea
  again.
  We know the IP address and the listening port of our HTTP proxy located on the
  internal network (192.168.1.1:8080).
  We know the IP addresses of two Internet HTTP  proxies  allowing  the  CONNECT
  HTTP method (111.111.1.1:8080 and 222.222.2.2:8080).
  We know that theses 3 proxies allow connections to the 443 and 8080 remote TCP
  ports.

  B] CCTT functionalities

  We want SSH access to our Internet located personal box (111.222.1.1:443).
  We have an SSHd server listening on this port and we think : 'NO MORE  INSTALL
  OF ANY PROG ON OUR BOX' :)

  C] Configuration files

  The client configuration file (cl_example_4.cf) must look like the following :
      PROTOCOL=tcp
      CHANNEL_PROXY_IP=192.168.1.1
      CHANNEL_PROXY_PORT=8080
      CHANNEL_PROXY_PROT=tcp
      CHANNEL_PROXY_DEL=25000
      HTTP_PROXY_CHAIN=111.111.1.1:8080:25000;222.222.2.2:8080:25000
      PROXY_MODE_LOCAL_IP=127.0.0.1
      PROXY_MODE_LOCAL_PORT=4222
      PROXY_MODE_PROT=tcp
      ### These ones are not used, but without them, the client won't start.
      IDENT=basic_ident
      IDENT_KEY=simsim
      PROXY_MODE_REMOTE_IP=127.0.0.1
      PROXY_MODE_REMOTE_PORT=22

  D] Command line parameters to run CCTT 

    To run the CCTT client (no root account), we use :
    cctt -c 111.222.1.1 -d 443 -f cl_example_4.cf \
      -t client_only_with_http_proxy &

    We now have the CCTT client listening on localhost:4222.
  When this client gets a TCP connection, it initiates a connection to the first
  HTTP proxy, then to the second and the third, and reach our SSHd server.
  At this time, we  have  a  TCP  channel  between  the  local  and  the  remote
  applications.

================================================================================

V) Reverse proxy mode concept demonstration with CCTT.

  A] Local network scheme

  The network scheme in this example is similar to the I) one, but  any  network
  scheme would have be convenient. We are specially focusing this example on the
  desired functionality.
  We know the HTTP proxy's IP address : 192.168.1.1 and  its  listening  port  :
  8080. We also know that it is possible to use the CONNECT method.

  B] CCTT functionalities

  We want a remote access to the internal located  Web  server  (192.168.2.1:80)
  and to the internal located SMTP server  (192.168.2.2:25)  from  the  external
  network.
  We will allow two remote external located stations (W1 and W2) to  connect  to
  the Web server and a third one (S) to connect to the  SMTP  server  using  our
  CCTT server located on an external located station (C - 111.222.1.1:443).

  C] Configuration files

  The  server  configuration  file  (srv_example_5.cf)  must   look   like   the
  following :
        PROTOCOL=tcp
        IDENT=basic_ident
        IDENT_KEY=simsim
        SRV_SHELL_LOC=/usr/local/bin/false
        SRV_SHELL_CMD=false
        PROXY_ONLY=ON
        PERM_USER_GROUP=cctt
        PERM_CHROOT=cage

  The internal located client  configuration  file  (cl_Wint_example_5.cf)  must
  look like the following to allow access to the Web server :
	PROTOCOL=tcp
	IDENT=basic_ident
	IDENT_KEY=simsim
	CHANNEL_PROXY_IP=192.168.1.1
	CHANNEL_PROXY_PORT=8080
	CHANNEL_PROXY_PROT=tcp
	CHANNEL_PROXY_DEL=15000
	PROXY_MODE_PROT=tcp
	PROXY_MODE_REMOTE_IP=192.168.2.1
	PROXY_MODE_REMOTE_PORT=80

  The internal located client  configuration  file  (cl_Sint_example_5.cf)  must
  look like the following to allow access to the SMTP server :
	PROTOCOL=tcp
	IDENT=basic_ident
	IDENT_KEY=simsim
	CHANNEL_PROXY_IP=192.168.1.1
	CHANNEL_PROXY_PORT=8080
	CHANNEL_PROXY_PROT=tcp
	CHANNEL_PROXY_DEL=15000
	PROXY_MODE_PROT=tcp
	PROXY_MODE_REMOTE_IP=192.168.2.2
	PROXY_MODE_REMOTE_PORT=25

  The external located client  configuration  file  (cl_Wext_example_5.cf)  must
  look like the following to allow access to the Web server :
	PROTOCOL=tcp
	IDENT=basic_ident
	IDENT_KEY=simsim
	PROXY_MODE_LOCAL_IP=@IP_W1
	PROXY_MODE_LOCAL_PORT=4280
	PROXY_MODE_PROT=tcp
	PROXY_MODE_REMOTE_IP=192.168.2.1
	PROXY_MODE_REMOTE_PORT=80

  The external located client  configuration  file  (cl_Sext_example_5.cf)  must
  look like the following to allow access to the SMTP server :
	PROTOCOL=tcp
	IDENT=basic_ident
	IDENT_KEY=simsim
	PROXY_MODE_LOCAL_IP=@IP_S
	PROXY_MODE_LOCAL_PORT=4225
	PROXY_MODE_PROT=tcp
	PROXY_MODE_REMOTE_IP=192.168.2.2
	PROXY_MODE_REMOTE_PORT=25

  D] Command line parameters to run CCTT 

     We first run the server (as root) using : 
     cctt -s 111.222.1.1 -p 443 -f srv_example_5.cf -t socket -L -v &

     We then run the two internal located CCTT clients in reverse proxy mode :
    cctt -c 111.222.1.1 -d 443 -f cl_Wint_example_5.cf -t socket_http_proxy -z &
    cctt -c 111.222.1.1 -d 443 -f cl_Sint_example_5.cf -t socket_http_proxy -z &

  => These two internal located CCTT  client  record  themselve  into  the  CCTT
     server - configuring it to use them as proxy to access  the  Web  and  SMTP
     servers - and keep the connection up.

  NB : The CCTT server dynamically add and remove the reverse  proxy  mode  CCTT
  clients when they establish or drop a connection.

     We run the two external located CCTT clients in proxy mode :
    On W1, we run : cctt -c 111.222.1.1 -d 443 -f cl_Wext_example_5.cf \
      -t socket -a &
    On S, we run  : cctt -c 111.222.1.1 -d 443 -f cl_Sext_example_5.cf \
      -t socket -a &

     => These two clients are now waiting for application connections.

  We now have two daemons listening : One allows connections to the  Web  server
  and is listening on @IP_W1:4280, the second one is listening on @IP_S:4225 and
  allows connections to the SMTP server.

     When an applicative client wants a channel to the SMTP server :
      * It opens a connection to @IP_S:4225.
    * The S CCTT client opens a connection to the C CCTT server and  asks  it  a
      channel to the SMTP server.
    * The CCTT server checks in its proxy list, finds the reverse connection  to
      the internal located CCTT client and acts as a proxy on this connection.
    * The internal located CCTT client receives datas, opens a connection to the
      SMTP server and acts as a proxy.

  And when other SMTP or Web applicative clients want  to  access  the  internal
  located resources, it is the same.

================================================================================

VI) HTTP Mode : Creating confusion sending/receiving unnecessary HTTP messages.

   Configuration file examples are in doc/confs/http_post1.
   Refer to previous examples for the command line parameters.

  A] Local network scheme
    
  Any local network scheme allowing a local user to send HTTP POST  requests  to
  the outside world with or without using an intermediary HTTP proxy.

  B] Presented functionalities

  The CCTT HTTP mode allow sending unnecessary HTTP POST request messages beside
  the data channel necessary ones.
  These HTTP POST messages are sent by the CCTT client  at  regulary  or  random
  intervals to the CCTT server and don't carry any communication channel data.
  If these HTTP POST messages are set into the server  configuration,  the  CCTT
  server sends the related files content and this content is  discarded  by  the
  CCTT client.

  The data stream generated may thus  increase  the  confusion  of  an  eventual
  observer.

================================================================================

VII) HTTP Mode : Creating confusion customizing how the server looks like.

   Configuration file examples are in doc/confs/http_post1.
   Refer to previous examples for the command line parameters.

  A] Local network scheme
    
  Any local network scheme allowing a local  user  to  send  HTTP  POST  request
  message to the outside world with or without using an intermediary HTTP proxy.

  B] Presented functionalities

  If the CCTT server is configured as in the VI example, it can accept  incoming
  (HTTP or not) request messages from non-CCTT clients.
  If  these  HTTP  request  messages  are  set  into  the  server  configuration
  (GET /index.html HTTP/1.0 for example), the server sends back the file content
  and if they are not configured, the server sends back an error page.
    Examples of such pages are available on the HTML presentation located on the
  Gray-World website.

================================================================================

VIII) HTTP Mode : Creating confusion adding padding to channel datas.

   Configuration file examples are in doc/confs/http_post2.
   Refer to previous examples for the command line parameters.

  A] Local network scheme
    
  Any local network scheme allowing a  local  user  to  send  HTTP  POST request
  messages to the outside world with  or  without  using  an  intermediary  HTTP
  proxy.

  B] Presented functionalities

  The HTTP mode of CCTT allows padding data at the top or at the bottom  of  the
  communication channel datas.
  This padding can be added to the HTTP POST request messages of the  client  or
  to the HTTP response message of the server.

  A padding example of an HTTP communication between a client and  a  server  is
  presented in the doc/confs/http_post2/snort_capture.txt file.

================================================================================