CCTT - Covert Channel Tunneling Tool v0.1.7 - LISEZMOI
Copyright (C) Simon Castro - scastro@entreelibre.com
$Id: README,v 1.11 2003/06/10 15:21:16 simsim Exp $
---

  This file is part of CCTT - Covert Channel Tunneling Tool v0.1.7 (C) Simon Castro.
  Cctt is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
  Cctt is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
  You should have received a copy of the GNU General Public License along with Cctt; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

---

Gray-World.net
Introduction
I) Why this Name : CCTT ?
  A) Covert Channel Tunneling Testing
  B) Covert Channel Testing Tool
  C) Examples
II) Why CCTT ?
    A) What kind of data streams ?
    B) What kind of channels ?
    C) Extension of functionnalities ?
    D) License ?
    E) Platforms ?
    F) Languages ?
    G) Why so many parameters ?
    H) Why is the released version an alpha one ?
III) Warning
    A) CCTT security
    B) Legal considerations
IV) Planned functionnalities
V) Bibliography / Webography
  A) Bibliography / Webography
  B) Discussion forum
  C) Patches
VI) Thanks

---

Gray-World.net
--

  Gray-world.net is a website dedicated to the NACS (Network Access Control System) bypassing topic on which one Alex and I are presenting our projects and papers and tools, papers and links we found interesting.

Introduction
--

Exploitation of data streams authorized by a network access control system for an arbitrary data transfer  - Version 1.0 - Simon Castro (scastro@entreelibre.com) / English Version : Hadi El-Khoury (helkhoury@entreelibre.com)

  Authorizations of data transit between interconnected networks via one or several network access control systems are defined and implemented with respect to a security policy. An exemplary one regarding network access control bases itself on the following assumption: blocking all data streams that were not explicitly defined. 
  In other words : "We block everything, and then we allow specific and precise access" !

  The most frequent network access control schemes rely on the use, combined or not, of tools performing some sort of filtering at several layers of the OSI model (networking devices : layers 2 and 3, routers : layer 3, firewall : layers 3, 4 and sometimes 5). 
  Other tools can be associated with these devices whose interactions with networking streams are located at the OSI model higher layers: mandatory servers (proxy), anti-virus, Intrusion Detection Systems, content filtering tools, Anomaly Detection Systems, etc.

  Nevertheless, regardless of using these network access control schemes, it is possible at the present time, via several evasion methods, to use streams authorized by the security policy to transit arbitrary data whose traffic is not allowed thought of. These evasion means allow the opening of communication channels (covert channel, subliminal channels) giving access to external services from within the internal network or access to internal resources from the external network.

  The corner stone of these evasion techniques relies on the lack of verification of the intrinsic value of transiting data. The different implementations of access control schemes depend upon a sort of "protocol abstraction" that makes that a data transfer relying on the several layers of the OSI model can only be used to carry data originating from underlying protocols.

  Though it is possible to detect certain abnormal streams traversing a network access control system, one can take for granted that the use of certain communication channels is undetectable at the present time.

I) Why this Name : CCTT ?
--

  Cctt which may mean either "Covert Channel Tunneling Testing" or "Covert Channel Testing Tool" is a tool presenting several exploitation techniques allowing the creation of arbitrary data transfer channels in the data streams authorized by a network access control system.

  A) Covert Channel Tunneling Testing

    CCTT enables data streams encapsulation within OSI model high layers protocols in the purpose of creating arbitrary data channels transiting across network access control systems.

  B) Covert Channel Testing Tool

    CCTT enables the creation of communication channels through network access control systems to create data streams which can :
      * get an external server shell from within the internal network.
      * give a shell from a box located within the internal network to an external server.
      * setting TCP/UDP/HTTP channels allowing TCP data streams (Ssh, Smtp, Pop, etc...) between an external server and a box from within the internal network.

    To sum up, Cctt, "Covert Channel Tunneling Tool" enables the setting of covert channels in authorized data streams in such a way to bypass network access control systems.

  C) Examples

    Look at the EXAMPLES file.

The CCTT acronym is also an untranslatable French pun.

II) Why CCTT ?
--

  There exists, at the present time, a lot of tools having the CCTT functionnalities (or the CCTT planned functionnalities) - Look at V) Bibliography / Webography and you'll have a good starting point to think about this topic.

  After one year and half thinking about this topic (and, more or less, using the tools I quote in V) Bibliography / Webography), I realized that no existing tool enabled me to implement the evasion methods I was thinking of.

  Thus, I decided to code CCTT so that it enabled me to add the functionnalities I wanted. And to be honest, I thought that adding functionnalities would be easier if the code was mine :)

    A) What kind of data streams ?

      * Server had to be able to manage multiple clients.
      * Server had to be able to give shell access to clients.
      * Server and client had to be able to work in a "proxy" mode : CCTT client accepts connections from applicative clients, tunnels them to the CCTT server and the CCTT server sends datas to applicative servers.
      * Server had to be able to accept several "proxy" requests on the same OSI model layer 4 port.

        Ex: 
	Arrows shows the connection direction.

           SSH Client --> CCTT Client -------> Internet --> CCTT Server --> SSH Server
	   <_______internal_network____A.C.S_> Internet <____x_external_networks_____>

      * Since the v0.1.5, I added a reverse proxy mode functionnality.

        Ex: 
	Arrows shows the connection direction.

		        2              3                1            1                           4 
	     SSH Client--> CTT Client --> Server CCTT <-- Internet <-- Reverse CCTT client -------------> SSH Server
	 <_____________x_external_networks______________> Internet <____internal_network____><__internal_or_external_network__>


    B) What kind of channels ?

      Network streams at OSI model layers 3 or 4 may be modified by networking devices during the client <-> server transport. As such, I decided to implement CCTT in order to use the OSI model higher layers; Layers widely used at the present time.

    C) Extension of functionnalities ?

      I tried to render the addition of new functionnalities the simplest possible : You can add functions into several parts of the code, without having to understand the whole CCTT code.

      Look at the LISEZMOI.developpeurs for further informations.

    D) License ?

      Of course... You should have seen it...

    E) Platforms ?

      As much as possible :)

       As for now, if you install the prerequisite libraries, CCTT was checked against :
         # Linux : Debian 2.2 and 3.0 stable, Mandrake 8.
         # BSD : OpenBSD 3.0 and 3.2.
	 # Mac OS X : 10.2.
         # Win32 : Builded under Cygwin (look at the README.win32 file).

    F) Languages ?

      The French first of all ... English of course ... Russian with a big thank to Alex...
      Anyway, if anyone wants to translate ?

    G) Why so many parameters ?

      Because I'm also interested in detecting that kind of data streams than creating it. 
      It was crucial to me to code something which could "emulate" some of the available tools, something on which I could add/remove all the functionnalities I wanted and not something that only would be detectable with difficulty at the present time.

    H) Why is the released version an alpha one ?

      For several reasons :
        * Cctt has to be checked to clean the code.
        * Are there any publicly available tool doing what this version do ?
        * Anyone can use the current release to add what he wants.
        * Because delaying again and again is not good (?) ?

III) Warning
--

    A) CCTT security

      CCTT is a testing tool. I reccomand not to use it as a front-end before a clean audit.
      As a testing tool, I reccomand you not to use production login/passwords... except if you use Ssh in proxy mode :)
      
      All things considered, I tried to write 'clean' code... But it was sometime difficult, and I was in a hurry to release something usable.

    B) Legal considerations

      I insist on the CCTT user (*) that in addition to the legal considerations specific to the GPL license by which CCTT is protected, the use (**) of CCTT is subjected to all laws of the country where it is distributed and/or used.

      CCTT is first of all a testing tool implementing several aspects already found in the public domain. It is aimed at helping security officers / engineers in practically verifying the security of all the networks that they're LEGALLY in charge of.

      Theses articles are specific to French readers but it would be better for you to know the legal considerations of your country. CCTT is not meant to be used to violate the 323-1 through 323-3 articles of the "Nouveau Code Penal" neither any article that is referring to - either it is already available or a law project to be.

      (*) By user, I mean a CCTT user (an executable compiled from the sources that I furnish and only from these). I also mean by user any other person using the code I am furnishing or any other documentation, configuration or whatever file enclosed in the distribution I am furnishing would it be in the purpose of thinking, discussing or implementing all or part of the source code or executable.

      (**) By use, I mean the CCTT use (an executable compiled from the sources that I furnish and only from these). I also mean by use any other use of the code I am furnishing or any other documentation, configuration or whatever file enclosed in the distribution I am furnishing would it be in the purpose of thinking, discussing or implementing all or part of the source code or executable.

      Special note to all French readers : I cannot but recommend you to read carefully the articles 323-1 through 323-3 of the new Penal Code, or any article that is referring to - specially the law project for the trust in the digital economy ("projet de loi pour la confiance dans l'Economie numerique") presented in mid January 2003 by the "Ministre delegue a l'Industrie".

IV) Planned functionnalities
--

   Look at the AFAIRE.xxx files :)

V) Bibliography / Webography
--

  First of all, have a look on http://www.gray-world.net which is a web site related to the Network Access Control System (NACS) bypassing subject.

  A) Bibliography / Webography

    Have a look on the http://www.gray-world.net website.

  C) Discussion forum

    You can post feature requests, bugs reports and discuss about Cctt on an online forum which is located at http://gray-world.net/board/viewforum.php?f=4

  D) Patches

    Current version patches (if any) are announced on the discussion forum and available on http://www.entreelibre.com/cctt/patches/.

VI) Thanks
--

  Modu : Because of the discussions about functionnalities, implementation, etc...
  Hadi : He accepted to do the english version and to correct my spelling mistakes :)
  Alex : Not only for the russian translation and the discussion forum...

  Have a look at the ChangeLog file for further informations concerning the contributions.

Simon Castro - scastro@entreelibre.com
