what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Oct 10, 2002
Authored by Rohits

This paper describes how it is possible to send data in TCP headers using the acknowledgment numbers.

tags | paper, tcp
systems | unix
SHA-256 | 7d3622c2a90e4c221166d445cceb86235ad4192fe69fee022fc63d44f568f214


Change Mirror Download

Fun under the nose:::

Am not sure if this has been discussed anytime before
but whatever !!! May sound bit silly :D, but it is
very much

This possibly explains how a spyware module can
communicate with the other host and may send some
confidential data without actually putting anything in
the payload, right under administrator's eyes.
Neither am I sure if it has been
implemented before but something like this is easy to
implement in my opinion.

Imagine a Watchdog client(WDC) probing some XYZ host
after every 30 seconds for some service etc... Attach
to the WDClient is nothing but a spyware module, now
since WDClient generally runs in superuser mode as it
has to alert or log etc it is easy for WDC... to make
use of all those restircted resources. After it has
the confidential text it can encrypt it in some
number form and send it in the TCP Header and not the
payload. Yes TCP header as the acknowledgement number.

It need not modify the payload or the actual data
content. If the Text is too big simply fragment it and

put it across as the different tcp acks and number the

sequence number accordingly to reassemble the text
properly. Actually this sounds funny or not possible
but for any watchdog that may work over tcp it can be
very simply implemented.

You will say that on the receiving end the tcp/kernel
stack maintaining any connections will simply drop
this packet as the ack number is bogus, but what if we
are using some sniffer made with libpcap and sniffing
the packets at the ethernet layer etc.

Here in the libnet generated packet I am simply
sending the text "Rohit" TCP header. Look at the
acknowledgement field each char is it's actual
position in the alphabetic list. R-18 o-15 etc...
Similary in the next packet I can send something Like
"Sharma" but with the Sequence nos 11112

from the test example from the libnet project
* Build the TCP header.
libnet_build_tcp(src_prt, /* Source
TCP port */
dst_prt, /*
Destination TCP port */
11111, /*
Sequence number */
1815080920, /*
Acknowledgement number */
TH_SYN, /* Control

flags */
1024, /* Window
size */
0, /* Urgent
pointer */
NULL, /* Pointer

to payload (none) */
buf + LIBNET_IP_H); /* Packet
header memory */

It is very much possible that the administrator will
never look at the ack field for any packet that is
generating after every 30 seconds or so. The other end

will simply read such a packet ... to differentiate
among the other normal packets the sequence nos
starting with all 1's or 2's etc can differentiate

Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By