cctt_en.1

Cctt, "Covert Channel Tunneling Tool" - 顾名思义

.SP
\fBHTTP_MOD_CL_BOT_PAD\fP=\fIpath/to/file\fP

Tells the server to add the content of the \fIpath/to/file\fP at the bottom of the communication channel it will sends in its HTTP response.

.SP
\fBHTTP_MOD_SRV_FAKE_URLS\fP=\fIpath/to/file\fP

Tells the server that it has to send the \fIpath/to/file\fP file content when it gets a request with an URI related to this file.

This directive can be used several times.

.SH "CLIENT CONFIGURATION FILE"
Configuration files allow the setting of several directives relative to the CCTT functioning.
.P

.IP "\fBDirectives for the client configuration file\fP :"

.IP "\fBPROTOCOL\fP=\fItcp|udp\fP"

This is the protocol used for establishing the socket between the client and the server or between the client and the mandatory server. If a mandatory server is to be used, this protocol is necessarily \fBtcp\fP.

\fBThis directive is mandatory.\fP

.IP "\fBIdentification directives\fP :"

These directives allow for the specification of the identification method used between the client and the server.

.SP 
\fBIDENT\fP=\fIxxx_ident\fP

This is the identification type parametered between server and client. It must be identical in the two configuration files and can contain the following values: \fIclear_ident\fP, \fIbasic_ident\fP.

\fIclear_ident\fP doesn't contain any encoding, the key being sent as is.

\fIbasic_ident\fP contains an encoding based on the same principle as the \fIsocket_encode\fP channel type.

\fBThis directive is mandatory and is necessarily accompanied by the \fP\fIIDENT_KEY\fP\fB directive\fP.

.SP 
\fBIDENT_KEY\fP=\fIxxx\fP

This is the key used by the server to identify the client. It's an ASCII chain.

\fBThis directive is mandatory and is necessarily accompanied by the \fP\fIIDENT\fP\fB one\fP.

.IP "\fBProxy mode directives\fP :"

\fBThe use of one of these directives leads necessarily to the use of others.\fP

The client listens on a couple @IP:Port. When an application is connecting, the client connects to the server, identifies itself and sends the transfer request to the server. If this demand is accepted, the client recuperates the data sent by the application, adds to them the several requested encodings and sends the result to the server. It proceeds reversely when it receives data from the server.

.SP
if the server accepts the client's demand, it opens a connection towards the application that is configured in its list and transmits the data from the client towards the application after suppressing the several encodings to which the received data stream was subjected. It proceeds reversely when receiving data from the application before sending them back to the client.

.SP 
\fBPROXY_MODE_PROT\fP=\fItcp\fP

In proxy mode, it's the protocol used between the local application and the client as well as between the server and the remote service. For the time being, only the \fPtcp\fP protocol is supported.

.SP
\fBPROXY_MODE_LOCAL_IP\fP=\fI@IP\fP

In proxy mode, it's the listening IP address of the client.

.SP
\fBPROXY_MODE_LOCAL_PORT\fP=\fIPort\fP

In proxy mode, it's the port on which the client is listening.

.SP 
\fBPROXY_MODE_REMOTE_IP\fP=\fI@IP\fP

In proxy mode, it's the IP address that is sent in the transfer request. This IP address is compared by the server to the addresses contained in its \fIPROXY_MODE_LIST\fP directives.

.SP 
\fBPROXY_MODE_REMOTE_PORT\fP=\fIport\fP

In proxy mode, it's the port that is sent in the transfer request. This port is compared by the server to the ports contained is its \fIPROXY_MODE_LIST\fP directives.

.IP "\fBReverse proxy mode directives\fP :"

\fBThe use of one of these directives leads necessarily to the use of others.\fP

The client opens a connection to the server and records itself into the server proxy-mode list as a proxy for the service configured in its configuration file.

.SP
When the server gets a request for this service, it uses the openned connection to tell the client from which application client it received the datas and acts as a proxy for the data stream.

.SP
The client receives data and : If it never received datas from this application client, it opens a tcp connection to the configured service and acts as a proxy - if it already received datas from this application client, it acts as a proxy for an existing connection.

.SP
To sum up, the established connection between client and server allows a rudimentary multiplexing.

.SP 
\fBPROXY_MODE_PROT\fP=\fItcp\fP

In reverse proxy mode, it's the protocol used between the client and the application service for which the client acts as a proxy. For the time being, only the \fPtcp\fP protocol is supported.

.SP 
\fBPROXY_MODE_REMOTE_IP\fP=\fI@IP\fP

In reverse proxy mode, it's the IP address of the application service for which the client acts as a proxy. This IP Address is dynamically added in the server \fIPROXY_MODE_LIST\fP and dynamically removed when the client drops the connection.

.SP 
\fBPROXY_MODE_REMOTE_PORT\fP=\fIport\fP

In reverse proxy mode, it's the port of the application service for which the client acts as a proxy. It is dynamically added in the server \fIPROXY_MODE_LIST\fP.

.IP "\fBDirectives used for a mandatory server\fP :"

\fBThe use of one of these directives leads necessarily to the use of all others.\fP

.SP 
In case a mandatory server is used as an intermediary between client and server (\fI*_http_proxy_* channel types\fP), these directives allow for the link configuration towards the mandatory server.

.SP 
\fBCHANNEL_PROXY_PROT\fP=\fItcp\fP

It's the protocol used between the client and the mandatory server. For the time being, only the \fItcp\fP protocol is supported.

.SP
\fBCHANNEL_PROXY_IP\fP=\fI@IP\fP

It's the mandatory server IP address.

.SP
\fBCHANNEL_PROXY_PORT\fP=\fIPort\fP

It's the port used by the mandatory server for HTTP proxying.

.SP
\fBCHANNEL_PROXY_DEL\fP=\fITime\fP

It's the waiting time for an answer from the mandatory server before considering the connection drop. It is expressed in microseconds.

.SP
\fBHTTP_PROXY_CHAINE\fP=\fI@Ip2:Port2:Time;...;@Ipx:Portx:Time\fP

Allows for the use of the CONNECT method on an HTTP mandatory servers chain.

The first connection takes place with the proxy defined with \fICHANNEL_PROXY_IP\fP. The CONNECT request is sent on the latter towards the first IP address of the \fIHTTP_PROXY_CHAINE\fP chain. When this chain is empty, the CONNECT request is sent towards the IP address of the server to be reached.

The waiting delay is configurable for each proxy.

.IP "\fBHTTP POST client directives :\fP"

.P
When the http_post is set, the client opens a TCP connection, sends a configurable number of HTTP POST requests and receive the related HTTP responses. When the configurable number is reached, the TCP connection is closed but the client side applications are kept running. A new TCP connection is then openned and etc...

The client can send a configurable number of unnecessary requests to hide the legitimate ones. If these requests have an URI set into the server configuration, the server will send the content of the related file.

The client can also add top and/or bottom padding to its communication channel data. This may confuse an eventual observer if he finds html pages or image on the data stream and doesn't look inside carefully.

.IP "\fBThe next directives are mandatory for an http_post client.\fP"

.SP
\fBHTTP_MOD_CL_REQ_PER_CON\fP=\fIx\fP

Set the number of HTTP requests to send on a TCP connection before closing it and openning a new one.

.SP
\fBHTTP_MOD_CL_DELAY_BET_CON\fP=\fIx\fP

Set the waiting delay between two HTTP requests on a TCP connection.

.SP
\fBHTTP_MOD_CL_HOSTNAME\fP=\fIhostname\fP

Set this \fIhostname\fP into the related HTTP POST request header field.

.SP
\fBHTTP_MOD_CL_CONTENTTYPE\fP=\fIcontent-type\fP

Set this \fIcontent-type\fP into the related HTTP POST request header field.

.SP
\fBHTTP_MOD_CL_DATASIZE\fP=\fIx\fP

Tells the client to not send more than \fIx\fP bytes of data into an HTTP POST request.

.SP
\fBHTTP_MOD_URI\fP=\fI/cgi-bin/cctt.cgi\fP

Send the \fI/cgi-bin/cctt.cgi\fP URI in the HTTP POST request. This URI will be used by the server to know if there is any usefull data in the HTTP request.

.IP "The next directives are optional in the client http_post mode."

.SP
\fBHTTP_MOD_SRV_TOP_PAD\fP=\fIbytes\fP

Tells the client there is \fIbytes\fP of unnecessary data at the top of the communication channel data of the HTTP response.

.SP
\fBHTTP_MOD_SRV_BOT_PAD\fP=\fIbytes\fP

Tells the client there is \fIbytes\fP of unnecessary data at the bottom of the communication channel data of the HTTP response.

.SP
\fBHTTP_MOD_CL_TOP_PAD\fP=\fIpath/to/file\fP

Tells the client to add the content of the \fIpath/to/file\fP at the top of the communication channel it will sends in its HTTP request.

.SP
\fBHTTP_MOD_CL_BOT_PAD\fP=\fIpath/to/file\fP

Tells the client to add the content of the \fIpath/to/file\fP at the bottom of the communication channel it will sends in its HTTP request.

.SP
\fBHTTP_MOD_CL_FAKE_URLS\fP=\fIGET /index.html HTTP/1.0\fP

Tells the client to send the \fIGET /index.html HTTP/1.0\fP request to the server. This request is unnecessary : If the server is configured to send the related content file, the client will read a part of this content and discard it.

This directive can be used several times.

\fBUsing the HTTP_MOD_CL_FAKE_URLS_FREQ is mandatory if you use this directive.\fP

.SP
\fBHTTP_MOD_CL_FAKE_URLS_FREQ\fP=\fIx\fP

Tells the client to send the unnecessary HTTP \fBHTTP_MOD_CL_FAKE_URLS\fP requests at this interval.

If \fIx\P is equal to -1, the unnecessary requests will be sent every y real request (and y is random). If \fIx\P is equal to 1, the unnecessary requests will be sent for each real request and if \fIx\P is equal to y>1, the unnecessary requests will be sent each y real request.

\fBUsing the HTTP_MOD_CL_FAKE_URLS directive is mandatory if you use this directive.\fP

.SH "INTERACTIVE MODE"
The server execution allows for the seize of a few commands in interactive mode.
These are :

.IP "\fBhelp\fP"
Displays available commands.

.IP "\fBshow connections\fP"
Displays ongoing connections.

.IP "\fBshow params\fP"
Displays the server's initialization informations.

.IP "\fBkill connection X\fP"
Closes the connection allocated on the \fBX\fP socket descriptor.

.IP "\fBkill manager X\fP"
kills the manager handling the connection allocated on the \fBX\fP socket descriptor.

.IP "\fBtell client X 'something'\fP"
Sends the \fBsomething\fP command to the client of the connection allocated on the \fBX\fP socket descriptor.

.IP "\fBquit\fP"
Stops the server.

.SH "SECURITY"
CCTT is a testing tool. Hence, I don't recommand its use within a production environment.
.P
The tool's code hasn't been audited. It would be preferable, when using CCTT on an Internet connected platform, to launch it under a restricted rights identity and to block it in a jail.
.P
To achieve this, one must either create a personal environment, either use functionalities present under the \fIServer securing directives\fP.

.SH "AUTHOR"
Simon Castro <scastro [at] entreelibre.com>

.SH "CONTRIBUTIONS"

Olivier Dembour <odembour [at] entreelibre.com> , Hadi El-Khoury <helkhoury [at] entreelibre.com> and Alex Dyatlov <alex [at] gray-world.net>

.SH "DISTRIBUTION"
The latest version of CCTT can be obtained from http://www.gray-world.net/ or from its mirror http://www.entreelibre.com/gray-world.net/.

.SH "LICENCE"

CCTT - Covert Channel Tunneling Tool - v0.1.8, Copyright (C) 2002,2003 Simon Castro (scastro@entreelibre.com)
.P
CCTT is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
.P
CCTT is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
.P
You should have received a copy of the GNU General Public License along with CCTT; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA