Data Exfiltration: Secret Chat Application Using Wi-Fi Covert Channel

Thank you very much for being here, for attending this speech because I know it's difficult in Spain. We will be doing siesta this time, so it's something very good for the health. Okay, we are going to speak about one ultra secret chat application or just say script because many of the things we do are proof of concept just programmed in Python because as you know it's much easier than coding in C for example, but for in any kind of proof of concepts because if you are going to develop some things for production you won't use at the end Python you will translate the code to C for example because you will have more performance and for packet manipulation it's

necessary to have a lot of performance. Okay, not too much. I want to leave you time to read everything, but if you want you can just follow me on Twitter or LinkedIn and I'll respond. The only things I respond are Twitter and LinkedIn. You don't need to try to contact with Facebook or something like that because I don't use this kind of social networks. Okay, let us talk about data exfiltration. Exfiltration is something that is made more and more during the last years. You have heard in 2016 there have been a lot of data leaks, very important data leaks in big companies, in governments and in many places. And as you know, the defenses are each day more

and more robust. and safely, but still there have been a lot of data leaks, even if the defense are increasing every day. So data exfiltration, one of the things is that it requires physical access or Access, of course, I won't speak about data exfiltration remotely. I have to have physical access. Yes, physical or let us say logical, but I have to have any kind of access that I can be inside of the network. It's used to, of course, to steal information. Sometimes it's like the Tor network. It will be used for privacy, but it's just a bad explanation of the usage. Usually it's used to steal information of security facilities. Requires strict data access prevention and DLP techniques. Yes, it's very difficult

to control the data exfiltration. That's the reason because there have been a lot of leaks in the last years. So it's difficult to control that you are being stolen. In governments and security corporate environments it's difficult to succeed. Yes, because they have a lot of honeynets and IDS, IPS, DLP systems that will try to lock and to control everything that's been touched and that's been taken outside. If some of you have worked in intelligence facilities or in secure government facilities, you will see that there are no mobile phones, pendrives are available, not possible to enter inside, there are a lot of controls that doesn't let you steal data from them so it's difficult to get data outside. Traditional methods are more creative

methods. When we talk about data exfiltration and when we talk of course about covert channels, many of us we are thinking about DNS data exfiltration, ICMP, ARP. There are a lot of protocols in the last years that have been used for data exfiltration using covert channels. It's difficult to control the transmission of data using these protocols because packets are not supposed to be what they are doing. So it's very difficult to control by security systems. When the main channels are secured, data exfiltration gets difficult. That's it. So you have to look into more creative ways to do it. Information hiding using covert channels or hidden channels. That's what we are talking about. Introducing modifications in protocols or payloads

inside protocols to permit that these protocols going to be used to other things that they are supposed to do, for example, DNS, for example. There have to be shared resources for sender and receiver. There has to be a synchronization. That means if I'm going to steal the data using a COVID channel, using, for example, ICMP, there has to be an IP address inside and an IP address outside to synchronize the data between them. Sometimes it's not easy to do. And you have to elude standard hardware, firmware, software to be able to do that. Sometimes it's just doing modifications in protocol. Python is a good help for doing it. And some libraries of packet manipulation are very good for doing

or creating covert channels. We are going to speak today about layer 2 data exfiltration using covert channels. We are taking in this case, in the case of layer 2, we are trying to take advantage of technology and standards. that means we will use the standards to modify them and to be able to use hardware for example in my case a monitor mode wi-fi card to transmit packets that normally should be layer to 800 to 800 2.11 packets but i have modified them to to be able to make inside some payload, to put inside some payload but trying to look as standard Wi-Fi packets, that's it. And if we are speaking about channel, the channels, the covert

channels have to be undetectable and interceptable. That's a good covert channel, a covert channel that you can just look at the traffic and it seems normal traffic or maybe malformed traffic and it's difficult to intercept because many times when we modify the protocols the standards the normal wi-fi cards that you will have at your sensors or at your computers will just detect some malformed packets will just silently discard them so it's difficult to analyze that my packets, my malformed packets are just the good packets for COVID channel so the sensors will not make an alarm or trigger an alarm because they will not be able just to read the packets because they are malformed so that's an advantage also and the only way

is being clearly sniffing packets and trying to recognize them by patterns maybe or to know the way we are doing the cover channel so it's like the honeypot speech The only trick is my Cobalt Channel application, my script is just my script. I happen to share it with you because you will read the code and you will understand what I'm doing with the packets. In the case of Python, of course, or in the case of other programming languages, you just will try to reverse the code to understand what I'm doing with the packets. So that's the only way of trying to sniff and recognize my patterns. The data obfuscation and encryption is what we are going to use. We are

going not only to use a covert channel, a normal covert channel manipulating packets, we are also going to obfuscate the packets to not be enriched by other sniffers. And also we will use encryption. That's a probe request frame in 802.11 protocol. That's a typical probe request. That's the typical probe request that, for example, a smartphone asks for a network. It asks, saying, okay, I would like to connect to this network. Is there this network on the air now, here, in my covered area? So that's it. If you see the... normal frame or 800 to the 11 frame you will see there's a frame control field with all these flags inside the duration, the address 1, address 2, address 3 and address 4, the

sequence count and this is just the number and the frame body and then the checksum of the frame. That's a normal management frame for example or data frame in Wi-Fi protocol. I will just try to use some of the fields that I read on the frame and I will modify them to be used by my own protocol. So I will include, for example, in the address one, that's the destination address, one specific address. So every of the let's say nodes that will be hearing the air will just know that by one specific MAC address this is the traffic for them. Okay, so that's my, let us say that's my telephone number. I will put here the remote address and what about

the source address? In every packet that I send to the air I will randomize it. Okay, so it's difficult to recognize any pattern that all the packets are generated by one physical address No, every packet will have another one another different one in the address 3 that's the Recycler address. I will also use the remote address the same one. I will use a sequence counter for me. Yes. Yes, because They'll say, I want to see which packet is unique on the network because I want to send each packet one time. In Wi-Fi, this is impossible to reach the destination. You will need like send 100 times each packet. And there... maybe 100 meters away somebody's hearing the remote node is hearing and detecting

my packets maybe once every 100 packets that i send so it's enough but i have to discard the other ones the other repetitions so i will use the sequence counter as my unique packet counter and about the frame body What will I do with the pre-modding? I will include something that is inside of the standards that the name is information elements, the IE fields. And I will use them as containers where I will put information. For example, I will put nothing inside of the ACID or in the SSID because it's easy to recognize by any system. So I don't want to be recognized. I will keep it empty. but in some of these strange 802.11 fields I will put for example the

user ID because we are speaking about the chat application so each user will have like a unique ID to be recognized inside of the network and with this script there will be possibly many, not only one, receivers, many participants. It will be a chat application for many users. So I will put my user ID and I will cipher then the cipher username plus the sequence counter just to recognize that this packet is unique for one user because maybe two different nodes will repeat the same sequence counter so I will keep track of repeated sequence counters and I need another field this is a ciphered username and then I will include inside of other fields, this one for example, this WPS field of the probe

request, I will include for example the message that we are going to transmit or a part of a file that I'm going to send. So that's the way I'll make a modification of each packet that can be of course and has to be debugged with sniffles like wireshack of course that we are using always so you see that's one of the packets it's a normal probe request packet okay and I include a lot of fields inside inside of each one there's information that I'm sending okay

Okay, what do we need to use this script? We will need to use monitor mode, Linux operating system, Python, and a packet manipulation library. I recommend SCAVI, that is very easy to use and it's very good for manipulating low-level packets. with scapi you will see that well let's let us see the demo and you will see how it works okay here okay i want you to to see to check how i'm constructing in scapi in python and python one probe request packet okay i forged it and if you see a packet has a lot of layers dot 11, radio tab header, a lot of headers and layers. So I'm just putting what I want to put inside

the info of every information element for example the message for example the the payload the command I'm going to use so that's that's what we are doing at the end we are just constructing the packet and then sending it a lot of times it's fully configurable you can put 100 times each packet or whatever what it depends on and I'm also using the nodes as repeaters because Wi-Fi has not a big coverage so everyone that receives the packet from another node will repeat it hundred times to the air so we are increasing the coverage of the network and what about how does it work you will see it here I start the application I enter the parent

interface I'm going to use, in my case I have two in my computer I have wlan2 and wlan1, so it creates automatically a monitor mode interface, mon1 and mon2 and you will enter your alias, your nickname inside of the chat and Bob, Alice, whatever and this is the most important you will create a room, a private room for you that means that this word is the most important because from this word will be the RIB the AES encryption and also the destination address of this chat room. So everybody will send the packets to this address and also the channel. The channel is also derived from the secret room. So it has to be a strong authentication. So here it is. For example,

I say Bob, hi. Okay. And say... how are you okay and the other the other node that's maybe 100 meters away will will reside how are you okay i can uh include a file a picture whatever we have like special commands like for example uh let me see this is english keyboard file for example dummy txt Sending file wtxt, I put in class some commands like which are the users connected etc and you will see commands inside of the chat application as an all IRC program you will have special commands inside okay and last and the last one that's the conclusion okay the it's very difficult to detect the packets in the air The difficulties always in Wi-Fi are the drivers, injection capabilities of the

monitor mode card that you are using for this kind of scripts because, for example, if you use any monitor mode card, it can maybe not inject malformed packets in the air. So sometimes it's difficult to find the right hardware for doing that. And it's difficult also to implement anti-detection techniques, but using this kind of covert channel, it's easy. Thank you so much, Iago. I think we're going to see a lot more of this. Go ahead. The two chat participants have to be in the same reach, right? They have to see each other or... Yes, of course in Wi-Fi coverage, let us say, they have to be about 50 to 100 meters away, but in buildings, for example, big buildings, you can have more participants and everyone

will act as a repeater of the packets. So you will be increasing the length of the distance you can reach. Okay, we're running a little bit behind. If that's okay, we can maybe continue the discussion in one of the breakout rooms. I think that's really interesting. Yeah, okay. Thank you. Thank you.