Stegtunnel is a tool written to hide data within TCP/IP header fields. It was designed to be undetectable, even by people familiar with the tool. It can hide the data underneath real TCP connections, using real, unmodified clients and servers to provide the TCP conversation. In this way, detection of odd-looking sessions is avoided. It provides covert channels in the sequence numbers and IPIDs of TCP connections.
Saturday, April 05, 2003
Stegtunnel New Release
PacketStorm alerted me to the newest release of stegtunnel. As a network security analyst, I like to keep an eye out for these sorts of tools. I'll test it when I have time. This tool also manipulates the IP ID field, just as Craig Rowland's covert_tcp program did in 1996. From the stegtunnel description: