.\" Man page for CCTT.\" ============================================================.\" Author : Simon Castro - <scastro [ at ] entreelibre.com>.\" .\".TH "CCTT" "1" "$Date: 2003/08/29 10:11:51 $" "Cctt v0.1.8".SH "NAME".B CCTT\- \fBC\fPovert \fBC\fPhannel \fBT\fPunneling \fBT\fPool.SH "VERSION"This \fB0.1.8\fP version is an alpha one..SH "LEGAL CONSIDERATIONS"CCTT is aimed at offering security officers / engineers means for practically verifying the security of networks they're \fBLEGALLY\fP in charge of.Any use of CCTT depends upon the acceptance of its license (see \fBCOPYING\fP) as well as the respect of legal considerations specific to the country of use (see the \fBREADME\fP file)..SH "SYNOPSIS".B cctt\fB-s listen_address\fP [\fB-p\fP \fIlisten_port\fP]  [\fB-f\fP \fIconfig_file\fP] [\fB-t\fP \fIchannel_type\fP] [-l] [-L] [-v] [-T].P.B cctt\fB-c connect_address\fP [\fB-d\fP \fIconnect_port\fP] [\fB-f\fP \fIconfig_file\fP] [\fB-t\fP \fIchannel_type\fP] [-r | -a | -i | -z] [-v] [-T].P.B cctt [ -V | -h ].SH "DESCRIPTION"This manual briefly describes the use of \fBCCTT\fP..PP.B CCTTis a tool allowing the establishment of subliminal channels within the data streams authorized by the implemented network access control schemes..SH "PARAMETERS"CCTT uses the current syntax of the GNU command line, with capital letters options preceded by a double dash ('-') or their shortcut equivalent..TPThe corresponding parameters are :.IP "\fB\-v, \-\-version\fP"Displays the CCTT version..IP "\fB\-h, \-\-help\fP"Displays help..IP "\fB\-d, \-\-debug\fP"Displays the debugging messages (for developers)..IP "\fBServer \fP:".IP "  \fB\-s, \-\-listen_address\fP"Specifies the server's listening IP address..IP "  \fB\-p, \-\-listen_port\fP"Specifies the server's listening port (Tcp 4242 by default)..IP "  \fB\-l, \-\-logging\fP"Specifies the reverse-shell sessions logfile to use (rshells.log by default)..IP "  \fB\-L, \-\-logging-syslog\fP"Sends verbose messages to Syslogd (daemon.notice by default).All verbose messages (if the -V flag was specified at the command line) are sent to the local syslogd daemon.If the -V flag wasn't specified at the command line, the initialization and halting of the server are the only logged events..IP "\fBClient \fP:".IP "  \fB\-c, \-\-connect_address\fP"Specifies the server's destination IP address..IP "  \fB\-d, \-\-connect_port\fP"Specifies the server's destination port (Tcp 4242 by default)..IP "  \fB\-r, \-\-rshell\fP"The client should execute a reverse-shell..IP "  \fB\-i, \-\-list_proxy_mode\fP"The client asks for the list of proxies authorized by the server..IP "  \fB\-a, \-\-proxy_mode\fP"The client should operate in proxy mode..IP "  \fB\-z, \-\-reverse_proxy_mode\fP"The client should operate in reverse proxy mode..IP "\fBGeneral \fP:".IP "  \fB\-t, \-\-channel_type\fP"Specifies the channel's type (socket by default)..IP "  \fB\-f, \-\-config_file\fP"Specifies the configuration file (cctt_srv.cf and cctt_cl.cf by default)..IP "  \fB\-v, \-\-verbose\fP"Executes CCTT in verbose mode..IP "  \fB\-T, \-\-check_conf_file\fP"Checks the syntax of the configuration file and quits..SH "CHANNELS TYPES :"Channel types are specified at the command line but use directives that should be set in configuration files :.IP "\fBsocket\fP"The channel consists of the establishment of a standard PF_INET socket (based on the TCP or UDP protocol : see \fICONFIGURATION FILES\fP) between the client and the server..Sp No encoding is performed and in case the connection is dropped, all applications (shell, reverse shell and applications operating in proxy mode) are killed..IP "\fBsocket_encode\fP"This channel type is identical to the \fIsocket\fP channel but the data stream is encoded..SpA distance is computed from a key. Then, an alphabet and the chain to encode are scrolled byte by byte, the distance to the current alphabet character is added, the result being added to the character to encode, some modulos are performed in order to stay within a sizeof scope (unsigned char) and the encoded chain is created. If the alphabet's end is reached, one should recycle..SpThe resulting chain is then converted into a series consisting of hexadecimal values (between 00 and FF)..IP \fBsocket_http_proxy\fPThis channel type is identical to the \fIsocket\fP one, but uses the CONNECT method on a mandatory HTTP server..SpThe client opens a connection with a mandatory HTTP server, then sends the \fICONNECT request @IP_serveur_Cctt:Port_serveur_Cctt HTTP/1.0\fP. If the connection is accepted by the mandatory server (reception of \fIHTTP/1.0 200 Connection established\fP), then the channel is considered established..IP \fBsocket_http_proxy_encode\fPThis channel type is identical to the \fIsocket_http_proxy\fP one, but the data are encoded as for the \fIsocket_encode\fP channel type..IP \fBclient_only_with_http_proxy\fPThis channel type is identical to the \fIsocket_http_proxy\fP channel and can be only be used by the client.It allows to benefit from the CCTT functionalities, such as services (shell, reverse-shell and proxy mode) as well as the use of the proxy chain without the constraint of installing a CCTT server (the daemon can hence be a standard service : ssh, netcat, etc...). No additional packet is added to the stream (no identification, no service request)..IP \fBhttp_post\fPThis channel type mimics the HTTP protocol allowing client and server to exchange HTTP requests and responses messages. Have a look on \fBHTTP POST server directives\fP and \fBHTTP POST client directives\fP for further informations..IP \fBhttp_post_proxy\fPThis channel type mimics the HTTP protocol allowing client and server to exchange HTTP requests and responses messages. Have a look on \fBHTTP POST server directives\fP and \fBHTTP POST client directives\fP for further informations..SPThe intermediary proxy management is :If the proxy-chain functionality is not used, a TCP connection is openned to the proxy server and a specially crafted HTTP POST request is sended.If the proxy-chain functionality is used, the CONNECT method is used until the last proxy server is reached and a specially crafted HTTP POST request is sended..IP \fBhttp_post_proxy2\fPThis channel type is identical to the \fBhttp_post_proxy\fP one but uses the CONNECT method on a mandatory HTTP server..IP \fBtest\fPThis channel type is used for the development of new functionalities..SH "SERVER CONFIGURATION FILE"Configuration files allow for the positionning of several directives linked to the CCTT operation..P.P \fBDirectives of the server configuration file\fP :.IP "\fBPROTOCOL\fP=\fItcp|udp\fP"It's the protocol used for the socket establishment between the client and the server or between the client and the mandatory server. In case a mandatory server is used, this protocol is necessarily \fBtcp\fP.\fBThis directive is mandatory.\fP.IP "\fBFAKE_WEBSERVER\fP=\fIfile\fP"If a client doesn't manage to overcome the identification stage, the file content is sent to him and the connection is closed..IP "\fBKILL_QUIET_DEL\fP=\fIx\fP"Tells the server to close connections quiet since \fIx\fP msecs. If this directive is not set, the default value of the includes/configuration.h file is used..IP "\fBKILL_QUIET_DEL_CF\fP=\fIx\fP"Tells the server to close connections quiet since \fIx\fP msecs if the close_flag is set. If this directive is not set, the default value of the includes/configuration.h file is used..IP "\fBIdentification directives\fP :"These directives allow specifiing the identification method used between the client and the server..SP \fBIDENT\fP=\fIxxx_ident\fPIt's the identification type parametered between the server and the client. It must be identical to the two configuration files and can contain the \fIclear_ident\fP, \fIbasic_ident\fP values.\fIclear_ident\fP doesn't contain any encoding, the key being sent as is.\fIbasic_ident\fP contains an encoding based on the same principle of the \fIsocket_encode\fP channel type.\fBThis directive is mandatory and is necessarily accompanied by the \fP\fIIDENT_KEY\fP\fB directive\fP..SP \fBIDENT_KEY\fP=\fIxxx\fPThis is the key used to identify the client before the server. It's an ASCII chain.\fBThis directive is mandatory and is necessarily accompanied by the \fP\fIIDENT\fP\fB directive\fP..IP "\fBProxy mode Directives\fP :"See the explanation in the part pertaining to the client..SP \fBPROXY_MODE_LIST\fP=\fIlabel:@IP:Port\fPThis directive can be used several times if \fIlabel\fP is unique for each line. It's the transfer authorization list for clients that wish to operate in proxy mode.The server receives a request, verifies if the demand is parametered in its list and if it is, operates is proxy mode for the \fIlabel\fP service between the client and the application that is behind \fI@IP:Port\fP..SP \fBPROXY_ONLY\fP=\fION|OFF\fPAsks the server whether it should or not act in \fIproxy-only\fP mode. This mode configures the server such that it refuses shell or reverse-shells demands and such that the standard input (see \fIINTERACTIVE MODE\fP) isn't available.The server can hence be launched in background and use the privilege suppression functionalities (see \fIServer Securing Directives\fP)..IP "\fBShell configuration directives\fP :".SP \fBSRV_SHELL_LOC\fP=\fI/path/to/shell\fPThis it the absolute path (beware of the name when using symbolic links) leading to a command interceptor (shell). It is used when the client asks the server for a shell.If the server doesn't want to offer the shell to the client, this directive can be set to \fI/path/to/false\fP or \fI/path/to/nologin\fP.\fBThis directive is necessarily accompanied by the \fP\fISRV_SHELL_CMD\fP\fB one\fP..SP \fBSRV_SHELL_CMD\fP=\fIshell\fPIt's the command interceptor's (shell) name which is configured is the \fISRV_SHELL_LOC\fP directive by which this directive is necessarily accompanied..IP "\fBServer securing directives\fP :"These directives are only applicable if the server is launched under the super user identity..SP\fBPERM_USER_GROUP\fP=\fIuser\fPAfter initialization, the server takes the (gid,uid) identity indicated by the \fIuser\fP user.If the \fIPERM_CHROOT\fP directive is set, \fIPERM_CHROOT\fP is first applied..SP\fBPERM_CHROOT\fP=\fIpath/to/chroot/directory\fPAfter initialization, the server is jailed with a chroot in the specified directory.Note: This directory must be a regular one and not a link and must allow writing under the identity under which the the server operates..IP "\fBHTTP POST server directives :\fP".PWhen the http_post mode is used, the server is waiting for HTTP POST requests and answers with HTTP responses. As the client can close the TCP connection at regular interval, the server keeps its applications side running and use an unique client magic number to know if a new connection was already openned or if it needs a new context.If a TCP connection is openned to the server and that the client request doesn't have the good URI, the server sends back an error page before closing the connection.It is possible to tell the server to answer to certain requests. In this case, the server matches the request URI and sends back the related content file.Adding top and/or bottom padding datas to the communication channel related data is configurable in the client and server parts. These padding datas are discarded by the client and server parts..IP "\fBThe next directives are mandatory for an http_post mode server.\fP".SP\fBHTTP_MOD_URI\fP=\fI/cgi-bin/cctt.cgi\fPThe URI set tells the server that there is usefull datas into the HTTP request body..SP\fBHTTP_MOD_SRV_ERROR_PAGE\fP=\fIerror_page.txt\fPThis file will be sended by the server if the URI defined in the HTTP request is different from the \fBHTTP_MOD_URI\fP one and if the request URI is not found in any \fBHTTP_MOD_SRV_FAKE_URLS\fP one..IP "Next directives are optional in the server http_post mode.".SP\fBHTTP_MOD_SRV_TOP_PAD\fP=\fIbytes\fPTells the server there is \fIbytes\fP of unnecessary data at the top of the communication channel data of the HTTP request..SP\fBHTTP_MOD_SRV_BOT_PAD\fP=\fIbytes\fPTells the server there is \fIbytes\fP of unnecessary data at the bottom of the communication channel data of the HTTP request..SP\fBHTTP_MOD_CL_TOP_PAD\fP=\fIpath/to/file\fPTells the server to add the content of the \fIpath/to/file\fP at the top of the communication channel it will sends in its HTTP response.