Jonas Pflanzer d4bab1905c Daemon installation notes improved 4 gadi atpakaļ
..
include 51fb1553ce Fix filters and minor Covert Channel bugs 4 gadi atpakaļ
src 3763e08f78 Removed needless TODOs 4 gadi atpakaļ
test bd1e853665 Resolve "There are no tests for executeQueue and executeDequeue" 4 gadi atpakaļ
Adding-a-Covert-Channel-Mode.md 08aca1da2c Adding a covert channel mode 4 gadi atpakaļ
CMakeLists.txt d8b4ccc395 Remove pkg-config from CMakeLists 4 gadi atpakaļ
CovertProtocol.md 788a5e0293 Protocol README 4 gadi atpakaļ
README.md d4bab1905c Daemon installation notes improved 4 gadi atpakaļ
ccats.service d4bab1905c Daemon installation notes improved 4 gadi atpakaļ
createsslfiles.sh e2ab8c089f implement very basic ssl, todo allow server to run without ssl and get ssl fully running (broken right now, complains about no shared cipher) 4 gadi atpakaļ

README.md

Daemon

Build

mkdir build
cd build
cmake ..
make

Tests

To build tests just set the ENABLE_TESTS variable to true and rebuild the program.

mkdir build
cd build
cmake .. -DENABLE_TESTS=true
make

Run

You must create a config.txt before running the server.

bin/ccats

Tests

make test

Installation

You can adjust the installation directory as you like but don't forget to adjust the ExecStart option in the service file. The location of the configuration file is the first parameter for the daemon so you can change it as well. Don't forget to create the files folder!!!

After building the program copy executable:

sudo cp bin/ccats /usr/bin

Copy service file:

sudo cp ccats.service /etc/systemd/system/

Enable and start service with:

sudo systemctl enable ccats.service

and start it

sudo systemctl start ccats.service

Daemon configuration

The daemon is configurable by config.txt. You can use another config name using the config name as first parameter when launching the server. The config file must be in the same directory from where you run the binary. If the file does not exist, the server will exit immediately.

General Configuration Values

port: The port where the server listens for clients. Must be a valid port
userdatabase: The file where userdata is stored in format: user;password
deleteAllowed: Says if a client is allowed to delete files from its file directory
filedirectory: The directory where files from the clients will be stored and read from
SSLenabled: When set to true, the server will only use and accept SSL connections from clients. Set to false to disable this
SSLcertificate: The certificate file to use for SSL connections
SSLprivatekey: The private key file to use for SSL connections
SSLdhparams: The diffie-hellman file to use for SSL connections

Notes about SSL

To use SSL, certificates, keys and diffie-hellman parameters are required. To generate these, a convenience script createsslfiles.sh is provided. The names of the output files are controlled with variables at the top of the script, modify these if desired. Assuming default names, place the user.crt, user.key and dh2048.pem files somewhere convenient and configure the server accordingly. Place the rootca.crt certificate in the directory you intend to run the client from.

If you get an error about SSL related files not being found despite them existing, shorten the names of the files. If you cannot connect and the server prints a error related to TLSv1, ensure your version of boost and OpenSSL are up to date.

Covert Channel Modes

There are several covert channel modes which will transmit data in other ways. If you do not set this to any of the values below, the server will not have covert channel sending and recieving capabilities, but still answer to requests from clients. In this case, no superuser permissions will be required, as no network interfaces are touched directly. forward: no data transmission
tcpurgency: uses the TCP urgency pointer
tcpoptiontimestamp: uses the TCP option Timestamp to transmit data. WARNING: most OSs use the timestamp so you should not use this option unless you are sure that the communication does not depend on it.
tcpappend: appends the data to the payload of a TCP packet
tcpoptioncustom: writes data in a custom option field

General Covert Channel options

covertChannelMode: Sets the covert channel mode. To deactivate don't set it or set it to none or false.
innerInterface: The interface of your inner network
outerInterface: The interface of your outer network

Covert Channel Mode forward

No further config is needed. Forward should work out of the box.

Covert Channel Modes tcpurgency, tcpoptiontimestamp, tcpappend, tcpoptioncustom

targetIP: IP of the target server
targetPort: Port of the target server
passiveMode: true - server only reacts to incoming channel | false - server initiates channel

Example for config.txt

covertChannelMode=tcpurgency
deleteAllowed=false
filedirectory=./files/
innerInterface=eth0
outerInterface=eth1
passiveMode=false
port=1234
SSLcertificate=user.crt
SSLdhparams=dh2048.pem
SSLenabled=true
SSLprivatekey=user.key
targetIP=1.2.3.4
targetPort=443
userdatabase=userStorage.txt