GRAY-WORLD.NET TEAM
Unusual firewall bypassing techniques, network and computer security.

After a while, finding that nothing more happened, she decided on going into the garden at once; but, alas for poor Alice! when she got to the door, she found she had forgotten the little golden key, and when she went back to the table for it, she found she could not possibly reach it: she could see it quite plainly through the glass, and she tried her best to climb up one of the legs of the table, but it was too slippery; and when she had tired herself out with trying, the poor little thing sat down and cried.

Lewis Carroll "Alice In Wonderland"
Alice
Chinese French Russian Spanish Polish Italian
Home | Projects | Papers | Forum | Team | Links | Contributions
 Projects 

Cctde is a first implementation of the Gray-World.net Covert Channel and Tunneling over the HTTP protocol Detection : GW implementation theoretical design' paper.

The main goal of this project is to provide a way to register and disclose informations leading to the detection of unauthorized tunnels and covert channels embedded into the HTTP protocol but the concepts could also be applied to the detection of arbitrary data flows inside other high level protocols.

Located between a mandatory http proxy server and the http clients (or before the NACS if no proxy exists), cctde is trying to detect if someone on the internal located network is using a CC|T (Covert Channel OR Tunneling) tool to bypass the NACS.

Located in front of corporate servers in DMZ, cctde is trying to detect if someone located on the Internet is using server side tools such as WebShell or Firepass to run across the NACS boundaries.

Cctde is currently designed as an analysis back-end for the Snort NIDS tool. Snort acts as a network sensor - recording data streams or not in tcpdump format binary files - and communicates with the cctde part using an Unix socket. Cctde then reads Snort alerts and pcap packets from the Unix socket and store them into memory. It is then possible to correlate recorded data in order to detect specific network activities.

Simon Castro
Current Cctde version: 0.2; README, CHANGELOG, EXAMPLES
Download | md5sum: a0fd7e48315d3e38b1c6a3fd689fb47a
http://gray-world.net/projects/cctde/cctde-0.2.tar.gz

Index of projects



Paper : Exploitation of data streams authorized by a network access control system for arbitrary data transfers : tunneling and covert channels over the HTTP protocol.
[read]


Team member's sites: www.infosecwriters.com/ hhworld/ The Hitchhiker's World e-zine


GNU  GNU General Public License
 GNU Free Documentation License
IRC://irc.gray-world.net:6677/gray-world.net
CHANGELOG, MIRRORS, LEGAL NOTICE