GRAY-WORLD.NET TEAM
Unusual firewall bypassing techniques, network and computer security.

It was all very well to say `Drink me,' but the wise little Alice was not going to do that in a hurry. `No, I'll look first,' she said, `and see whether it's marked "poison" or not'; for she had read several nice little histories about children who had got burnt, and eaten up by wild beasts and other unpleasant things, all because they would not remember the simple rules their friends had taught them: such as, that a red-hot poker will burn you if you hold it too long; and that if you cut your finger very deeply with a knife, it usually bleeds; and she had never forgotten that, if you drink much from a bottle marked `poison,' it is almost certain to disagree with you, sooner or later.

Lewis Carroll "Alice In Wonderland"
 		Alice
Chinese French Russian Spanish Polish Italian
Home | Projects | Papers | Forum | Team | Links | Contributions
 Projects 

Cctde is a first implementation of the Gray-World.net Covert Channel and Tunneling over the HTTP protocol Detection : GW implementation theoretical design' paper.

The main goal of this project is to provide a way to register and disclose informations leading to the detection of unauthorized tunnels and covert channels embedded into the HTTP protocol but the concepts could also be applied to the detection of arbitrary data flows inside other high level protocols.

Located between a mandatory http proxy server and the http clients (or before the NACS if no proxy exists), cctde is trying to detect if someone on the internal located network is using a CC|T (Covert Channel OR Tunneling) tool to bypass the NACS.

Located in front of corporate servers in DMZ, cctde is trying to detect if someone located on the Internet is using server side tools such as WebShell or Firepass to run across the NACS boundaries.

Cctde is currently designed as an analysis back-end for the Snort NIDS tool. Snort acts as a network sensor - recording data streams or not in tcpdump format binary files - and communicates with the cctde part using an Unix socket. Cctde then reads Snort alerts and pcap packets from the Unix socket and store them into memory. It is then possible to correlate recorded data in order to detect specific network activities.

Simon Castro
Current Cctde version: 0.2; README, CHANGELOG, EXAMPLES
Download | md5sum: a0fd7e48315d3e38b1c6a3fd689fb47a
http://gray-world.net/projects/cctde/cctde-0.2.tar.gz

Index of projects



Paper : Exploitation of data streams authorized by a network access control system for arbitrary data transfers : tunneling and covert channels over the HTTP protocol.
[read]


Team member's sites: www.infosecwriters.com/ hhworld/ The Hitchhiker's World e-zine


GNU  GNU General Public License
 GNU Free Documentation License 		IRC://irc.gray-world.net:6677/gray-world.net
CHANGELOG, MIRRORS, LEGAL NOTICE
12/03/2010 [22:13:29] GMT+03:00 / Unique IPs today: 3737 / Hits: 59561