>Читая разного рода такую информацию, я понял, что наиболее реально создать пока
>что DNS-туннель - медленно, но все же что-то, чем ничего :-)
>А как его сделать и чем его сделать?
Вот что я нашел у себя в закромах:
---[ Phrack Magazine Volume 7, Issue 51 September 01, 1997, article 06 of 17
-------------------------[ L O K I 2 (the implementation)
--------[ daemon9 <email@example.com>
This is the companion code to go with the article on covert channels in
network protocols that originally appeared in P49-06. The article does not
explain the concepts, it only covers the implementation. Readers desiring more
information are directed to P49-06.
LOKI2 is an information-tunneling program. It is a proof of concept work
intending to draw attention to the insecurity that is present in many network
protocols. In this implementation, we tunnel simple shell commands inside of
ICMP_ECHO / ICMP_ECHOREPLY and DNS namelookup query / reply traffic. To the
network protocol analyzer, this traffic seems like ordinary benign packets of
the corresponding protocol. To the correct listener (the LOKI2 daemon)
however, the packets are recognized for what they really are. Some of the
features offered are: three different cryptography options and on-the-fly
protocol swapping (which is a beta feature and may not be available in your
The vulnerabilities presented here are not new. They have been known
about and actively exploited for years. LOKI2 is simply one possible
implementation. Implementations of similar programs exist for UDP, TCP, IGMP,
etc... This is by no means limited to type 0 and type 8 ICMP packets.
Before you go ahead and patch owned hosts with lokid, keep in mind that
when linked against the crypto libraries, it is around 70k, with about 16k
alone in the data segment. It also forks off at least twice per client
request. This is not a clandestine program. You want clandestine?
Implement LOKI2 as an lkm, or, even better, write kernel diffs and make it
part of the O/S.
----------------------[ BUILDING AND INSTALLATION
Building LOKI2 should be painless. GNU autoconf was not really needed for
this project; consequently you may have to edit the Makefile a bit. This
shouldn't be a problem, becuase you are very smart.
----[ I. Edit the toplevel Makefile
1) Make sure your OS is supported. As of this distribution, we suppport the
following (if you port LOKI2 to another architecture, please send me the
2) Pick an encryption technology. STRONG_CRYPTO (DH and Blowfish),
WEAK_CRYPTO (XOR), or NO_CRYPTO (data is transmitted in plaintext).
3) If you choose STRONG_CRYPTO, uncomment LIB_CRYPTO_PATH, CLIB, and MD5_OBJ.
You will also need SSLeay (see below).
4) Chose whether or not to allocate a psudeo terminal (PTY) (may not be
implemented) or just use popen (POPEN) and use the
`pipe -> fork -> exec -> sh` sequence to execute commands.
5) See Net/3 restrictions below and adjust accordingly.
6) Pausing between sends is a good idea, especially when both hosts are on
the same Ethernet. We are dealing with a potentially lossy protocol and
there is no reliablity layer added as of this version... SEND_PAUSE
maintains some order and keeps the daemon from spewing packets too fast.
You can also opt to increase the pause to a consdiderably larger value,
making the channel harder to track on the part of the netework snooper.
(This would, of course, necessitate the client to choose an even larger
----[ II. Supplemental librarys
1) If you are using STRONG_CRYPTO you will need to get the SSLeay crypto
library, version 0.6.6. DO NOT get version 0.8.x as it is untested with
LOKI2. Hopefully these URLs will not expire anytime soon:
2) Build and install SSLeay. If you decide not to install it, Make sure you
correct the crypto library path LIB_CRYPTO_PATH in the Makefile and
include paths in loki.h.
----[ III. Compilation and linking
1) From the the toplevel directory, `make systemtype`.
2) This will build and strip the executables.
----[ IV. Testing
1) Start the daemon in verbose mode using ICMP_ECHO (the default) `./lokid`
2) Start up a client `./loki -d localhost`
3) Issue an `ls`.
4) You should see a short listing of the root directory.
6) For real world testing, install the daemon on a remote machine and go to
town. See below for potential problems.
----[ V. Other Options
The loki.h header file offers a series of configurable options.
MIN_TIMEOUT is the minimum amount of time in whole seconds the client will
wait for a response from the server before the alarm timer goes
MAX_RETRAN (STRONG_CRYPTO only) is the maximum amount of time in whole
seconds the client will retransmit its initial public key
handshaking packets before giving up. This feature will be
deprecated when a reliability layer is added.
MAX_CLIENT is the maximum amount of clients the server will accept and
KEY_TIMER is the maximum amount of time in whole seconds an idle client
entry will be allowed to live in the servers database. If this
amount of time has elapsed, all entries in the servers client
database that have been inactive for KEY_TIMER seconds will be
removed. This provides the server with a simple way to clean up
resources from crashed or idle clients.