Stealthy Communication: Unveiling Covert Channels Through HTTP Headers

okay so SC I guess we can start thank you everyone for staying till the end especially after the lunch uh so this this is this is kind of a new topic which is I don't think is used in like daytoday job and organizations it's more about how Cort Communications happen and how to build your own communication Co Communication channel now to Define what is a Cort channel uh and also uh caution before this presentation I don't know how many guys how many of you guys have watched the TV series called the office there's going to be a lot of memes so please bear with me uh if you don't get it I'm sorry I apologize so what is a Cort

channel right so Cort channel is it like encryption what's the difference between encryption and coord channel so coort Channel is something you can use encryption in C Channel but just by using encryption it won't be a c channel so what I'm mean by cord channel is uh let's take an example of a communication right so suppose right now I'm communicating to you guys right now everyone can see that this communication is happening even if I talk in more score even if I talk in an encrypted way everyone can see that okay there's some sort of communication going on whether they can't decode what I'm saying but they know some some kind of communication is going on over here

right uh but if I do certain hand gestures which only one or you one or two of you could understand right that is a kind of forward communication because for the rest of you the the communication should only be understood by the person who is it meant to be or by the system who is it meant to be for the rest of uh Outsider it should look like oh there's nothing abnormal going on here there's not even a communication going on over here right so this is one of the major differences between an encryption and a Cort channel right so let's take example of SSH or https right so SSH and https uses encryption but it won't be a Cort

Channel because in HTTPS when you uh browse a website or when you're sshing into a server anyone can see that okay there is some sort of communication happening right someone is talking to someone we don't know what they are talking about but there is some sort of communication back and forth going on right so that won't be a Cort Channel Cort channel is completely hidden you don't even know if there is a communication going on right so what would be a Cort channel right so here there's a GF that's showing invisible ink right so it's a very basic example someone uses invisible ink writes a letter sends it to someone right yeah so for a normal person it's like okay it's

just a blank piece of paper or some if if there was something hidden text in this PDD right so for you guys now I told that there's a hidden text so now you know there's a something sort of communication right but for someone who the communication is meant to be only they would know that oh there is some sort of communication so it's hidden in plain site right that's basically the whole idea of Cort communication now what's the Cort communication that we have built here so we are using HTTP uh and HTTP headers uh and we are basically working with two fields which are very modifiable because that's why they were the best Target those are the user

agents thing and cookie uh so why did we use user agent string and cookie uh before that let me talk to you about Cort Channel model so what's what would be going on over here right so you would have shared secrets so just like a symmetric communication that happens you have shared Secrets right so here you'll also have shared secret there would be a server and there would be a receiver right so the server would be the receiver and then the we would be sending the communication through HTTP packets through HTTP so for a normal user it would be look like oh it's just another website where communication is happening right but while in those HTTP

headers we have hidden some kind of information which is not visible to the plane eye even if someone gets into the network scrapes those HTTP packets they won't be able to identify it so here you can see uh there's a request going on to the server the server gives a response so it's basically a normal uh client to server communication happening now uh some features of the cord channel right so how are we doing this so for mapping uh we have a look so all this will make sense uh when I show you the Cort channel for now I'm just uh giving out some of the features uh so we can connect the dots later so there is a

lookup table lookup table is a very basic lookup table oh suppose if I am mapping as Sky characters to a certain hidden strings like oh a maps to this B maps to this c maps a very basic look table and then uh there is an identifier so as I told before there is a cookie field that we are modifying so one of those headers inside the cookie field would be used as an identifier so that will identify whether this is a Cort request or it's just a normal packet right so what we are trying to do is Implement a communication in a normal website like suppose Amazon right so everyone can go on Amazon yeah it's it's

a normal website right so we need to modify oh is this a Cort Channel packet like an http packet is it a Cort packet or is it just a normal packet from a normal view right so that's why we have a field which will help us in identifying the rotation and jumbling is just an external protection so even if our lookup table gets leak let's say that's one of the shared Secrets these are all shared secrets so if it gets leaked we don't want the attacker to basically totally know okay what message was sent because obviously C channels are only used when you are transferring very very highly sensitive information right because you don't even want to

tell someone that the communication is happening was not supposed to be then we are using a star 256 hash for the Integrity check and then a server response like a 200 to 400 or 500 is used uh but for a client who's sending a Cort request it would it would mean entirely different I'll explain more on that later so why are we using user agent string first let me ident uh let me explain what a user agent string is right so if we go inside an HTTP packet let's see here so this is what like your HTTP headers would look like right if you if you see your uh request going into a website or anywhere you're

browsing right so first is your request line host cash now if you see the user agent so this user agent field is this kind of is used to describe what browser are you using what version of browser are you using right so it helps server identify oh do I support this browser or do I not support this browser right so we will we are targeting this field and the cookie field the reason to Target uh user agent string is because it is highly customizable right because if you see the amount of devices which talk to internet it is your watch it's your smartphone it's your laptop it's your iPad it's your PlayStation it's your PS

it's your Xbox like there's so many user agent examples so there's not possible for any server to put a Blacklist on certain type of user strings especially when your server is like uh customer facing and you want to attract a lot of people you can't put a Blacklist on the user agent string examples right uh so here you can see some of the examples using Apple TV playst see the variety of user agent shap examples that we get so now now what we will do is the lookup table that I mentioned right so we will create a lookup table based on all so there are I I think 97 or 98 asai characters so we have used all the

special symbols and English characters so 98 asy characters and we have created a lookup table which each character uniquely identifies a user agent strength now how we did this was we first uh found out what are the most used user agent strings in a normal communication in the current internet right because if I use something like Nintendo released in '90s or 95s that wouldn't make sense because it would clearly stand out like who's using this older version of browser like that's very very old user agent string right so you want to use something which is currently used like recent mobiles like Samsung apple or like recent versions of browsers recent iPads or so we created a

list and we mapped it to all the ski characters right next thing now uh the rotation that I was talking about right so rotation just means if I'm doing a rotation by one that means that okay a was supposed to be here now a is mapping to this so you are just moving the table by one Shifting the table by one right now why this rotation is important is again to keep our lookup table secret right so how we will be doing communication is uh suppose I want to transfer bides Buffalo right so each HTTP packet will only be carrying one character so suppose if you B bides Buffalo it's b e sorry b s i d so for

for every packet the rotation would be different right so there's not one rotation which the whole packets are following right so suppose for one for for first request suppose if the rotation number is one B is mapped to Mozilla 5.0 that user agent for the next packet the rotation number will change and the rotation number will be sent within the packet which is also a part of shared secret which I'll show in the later slide so this is the entire lookup table I think it got cut yeah because there are like 98 or 99 so yeah uh now why cookie right so here here is where all the all the identification is so we now have our

lookup table right uh we have our secret now how do I send the rotation number because I need to send a rotation number with each request because our shared secret the the lookup table is basically the Crux of the communication right and the lookup table keeps on changing because we want to maintain that secret so how it changes is we have identified three sorry four Fields with which we can help to uh create this forward Channel first first is PHP session ID so PHP session ID is a header used on the cookie uh which is uh provided by the web server and it helps maintaining the session so it's basically kind of a session ID between the user and the

server right but if you look at the length of the uh session ID this length is customizable right but the most popular lengths that we found are actually equal to the length of md5 hash or sh 256 hash so what my idea was why can't I just replace it with the hash of the request that I'm sending so even if someone is changing my request modifying my request this ID would definitely change right and to a normal eye this doesn't look like oh is it a is it this looks like a normal ID but it's actually a hash right second thing is underscore G underscore GID and underscore uh Gat yeah so these three things are actually

used in Google analytics so if you have ever thought how how is Google tracking all of us this is one of those things how Google keeps track of basically our data so this is used in like identifying each user on the website it's a Google analytics ID so it it differentiates different users among a website among a domain right so some of them uh for our c channel it's the lifetime of some of them one of them is like 2 hours one of them last all days and the G8 basically is like a user limit of how many requests you can send to a web server per minute so the meaning is the meaning doesn't matter that much the point is we

can use these numbers to hide our information in right so now the metadata that we are hiding hiding here right so here in the as I explained PHP session ID which store the hash of the request that we are sending so even if someone is modifying my user agent string right because user agent string is is which is carrying the information it's carrying the character from the lookup table right so if someone is modifying my user agent string the hash will change and the hash will not match of the request right so I can see okay my cord channel is no longer safe it's it's been tampered so I can't use this cord Channel anymore

right so this is one of the checks now second the identifier right underscore Gat value the underscore Gat value that you see is used to identify whether this request is a Cort request or is it just a normal request from a user right because we don't want to scan all the requests that we get right because we are only if if it is a public facing website a lot of normal traffic would also come like a normal user would also come it's not like oh I'm keeping the website hidden to me and my communication it's out on the internet because we want to make it seem like yeah it's just a public website so it

will receive clicks from outside viewers from people who don't even know there's a cohort communication happening right so how do I differentiate my HTTP packet from the packet of a normal user for that we are using undor Gat so you can provide a specific value which would be like a shared secret between the receiver and the sender and you can identify based on as okay these packets are the ones which are actually carrying the message next is the rotation number uh yeah so rotation number here is 28 it's it's identified by the last two digits so if you see g g is broken up into like how an IP address is divided by dots similarly G and GA is broken up by dots

so we are using the last two values before this first dot so in this case 28 so 28 means the table the lookup table that I showed here uh one second I can show it again so this lookup table this or basically this would be rotated by 28 times right so for each request this number would be different and only the server will be able to identify okay by how much by what number the table has been rotated by right because if I give just one number if one request gets leaked my whole message is gone one right because now they know my secret key or basically my shared secret so every time the table is rotated by a

different number for each HTTP packet that's going right similarly order okay so order and there's one more thing here message length right so uh why order is important right so as I explained if I am transferring a message called B sides right so bides is sent character by character so B sent first then s is sent so we have put an extra protection measure we don't send the message in order right so suppose if I'm sending d s e b s i d e s so I'll probably send the s first then D then B then I because I don't want to send the request in an order it's an extra protectional measure because obviously this is a very very

sensitive information you don't want to like give anything away it right second thing is your message length so message length is okay how would the server know that that okay I wanted to send a message of say 100 characters how would the server verify like the packets get lost everyday Network this packet loss right if it loses some of the packets how would it identify okay this was the length of message that I wanted to receive and this is the length that I have receiv right so that's why we need to provide a length parameter so here it's 599 so it's provided by the last three digits of theore G Val now uh next next thing is so this is

all the client side so this is all everything the client would do to create a packet and then send that request to the server now what will happen on the server site right server site again has to decode the message based on the shared secret it will reconstruct the message identify what character has been sent and recreate the message we'll show more about that in the demo now uh what happens suppose the message the like I said the packet dropped or the network is not good or like the server is down right so here we have used server response codes right so for a normal user a server Response Code like 200 or 2001 or 2002 means okay the

message was successfully received right uh or suppose something like 510 means server is not responding something like that right but here for our cortt client who's sending a cortt message the server Response Code would mean would have an absolutely different mean right so suppose if it gets a response say 200 that means okay this packet was not part of the secret communication or that this was just a normal uh normal packet by someone from The Outsider visiting the website right similarly there's 2001 that's just to show that okay the message has been received successfully 202 means part of the message was received successfully as in there were 100 characters only 50 were received successfully so I send me the rest of

the message right next we have 24 for which means okay there was no cookie parameter s so I can't identify the request or I can't identify the HTTP packet right next is 48 which means the hash which is in the PHP session ID means the hash didn't match so we are stopping the communication that means the channel is basically compromised right now because someone is messing with the hash value or messing with the not the hash value but the contents of the user agent string that's why the hash isn't matching and the last is the message length mismatch which basically means okay packets were lost so I didn't receive the entire length of the message

so this is how basically like how it will uh identify whether the communication has happened or not right uh now if

now for demo one [Music]

second so here uh here I have a server running uh it's it's basically coded in a very basic python so we are starting server on the right side and then we have client on the left side so here uh I've ran the sender it's just asking me let's say the name of the file is just message [Applause] yeah so here you can see this is the constructed HTTP packet which has been sent right and if we see corresponding to this packet let's see the first one or we can see the last one since okay it's still going on okay

it on yeah so here here we can see the message which was transferred was besides Buffalo right and you can see the order in which it was transferred was recreated so at the end it recreates the entire order of the message it recreates the final message and just if we take like one one packet here right so let's take

okay let's take this a here right so here you can see it just a was transferred here so here we can see what it first does it first takes the request it calculates the hash right so it calculated the hash on the server side then it tried matching with what it received in the cookie value so you can see it received on the cookie value in our pH h p session ID which is where we are sending the request of the hash here we received the hash which was received in the request then it calculated it on the server side and matched it so we got okay the hash is matched so the request has not been tampered with next it

calculated the order right so here we can see the order is 12 from the underscore G value which means this is the 12th part of the message or this is the 12th character of the message right the next is the rotation rotation is basically how much the table was rotated so it can identify the original asky value right and then it found out okay the to Total message length is 16 so I have not received the total message yet so the communication keeps on going right and at the end after it has received everything it reconstructs the message uh it it checks the order so you you're seeing here it's not received actually in the correct order so it's

received in a jumbled order it recreates the order recreates the message and then that's how we get the final message as uh yeah besides Buffalo so there are like lot of uh protective measures use because it's a Cort communication so we don't want to expose any sort of information out in the open so there is integrity check there's jumbled order uh there is uh the length of the message is transferred if a part if the hash doesn't match the communication gets cancelled so these are all the protection measures you have to use while creating a Cort Channel because High highly sensitive information is being passed so yeah this was uh our uh research paper that we published this

year uh to the International Information sharing uh conference and yeah this this basically sums up and yeah these are completely harmless QR codes uh it won't do anything can stand it that's fine yeah yeah

if anyone has questions yeah amazing General pretty super clever have you considered ining Response Code in the HTP header rather than respon I think that might be the one thing that give away that the Ser is a little funky yeah so uh by we did it as a response code is uh because uh we wanted to like the client to have a feedback right because if I am sending out something I want to get that feedback whether my message was even received by the server or not it was successfully received and decrypted or not right so just to get that confirmation okay all communication is clear we got like sending it after the communication it's a user experience

exactly yeah I have a couple issues i' like to kind of get in my head yeah um so you're assuming that the web and whatever kind of legitimate appearing website is under 100% control by the receiving part right um rather than doing essentially a dead drop of requests that might get logged on the server and then retrieve by the receiver possibly to five or six or seven on different dead drop locations send that over do you want to receive yeah so uh why you made that deis was uh see you can do it in a normal communication also like you can take uh you can do it in a normal okay there is I don't own the server part I am just a

person who wants to send a c channel package and we can do that but uh why we decided so that the receiver should own the server is because we have couple of things we are modifying here right like that PHP session ID is one of the big things right because some servers might have configured okay our session ID would be different length right then the then there would be a mismatch between the hash value length and the session ID length right but we can do it on a normal server like if you open uh HTTP Header information of a server right and if you see okay yeah all the parameters are modifiable and they are the same

length you can absolutely do it on any server C so one more you made a claim that no one can make around uh around uh user agents no I said you can make it but you won't make it because you want people to like you want a range of devices to access your website right yeah mean not necessarily be the person who's receiving the traffic but rather um the person sending now has to have some awareness that their content filtered by let's say an employer that restricts the last 12 uh user agent springs for Chrome Firefox and yeah for example to keep old browsers the environment you have to know that you're coming from an environment where you may

not necessarily be able to enode it with up to 96 uh user yes that's why we took like so if you go on like Mozilla docs uh uh you can see they have this updated list of what are the most used user agent strengths that's why we use like okay these are the top 100 there are like thousands and 10 thousands of user agent strings right because there are so many iot devices watches handset mobile phones computer laptop iPads right so we only took like these are the most top 100 by by whole internet traffic these are the top 100 ones and obviously you need to keep updating them because you don't want to use an outdated one right

and uh if if think that something like okay if a server has suppose you don't own the server right and the server has blacklisted like let's say 10 of the 10 of the user agent strengths right so that's why we have response codes in place okay that means that we cannot use this Channel as cward communication because the Response Code will tell that okay the user AG the user is not responding or the client is not getting the message so you might need to use a different channel for so you would recommend that instead of manipulating an application to be Reed by your application first and then forward to the B application running on that

website to set it up as like a subfolder within the website so that would be Retreat and that's still kind of like uh negates to visibility of it right um I mean if you're if you're sending it to uh you know my C2 yeah folder it's pretty obvious that the only traffic going there is C communication correct that's why we want to take like a public facing server which originally receives like a lot of traffic on their day-to-day right so something like a big website like a library or like something like Amazon or like a shopping something okay thank you so much [Applause]