This document discusses different network steganography techniques, including tools developed to implement them. It describes using packet delay modification (Timeshifter) and packet content modification (Stegnet and BitStegNet) to covertly transmit messages. Timeshifter modifies ICMP packet delays. Stegnet modifies ICMP packet data fields. BitStegNet modifies the timestamps in μTP packet headers used by BitTorrent. The document outlines the goals, techniques tested, accomplishments and limitations of each tool, concluding future work could include testing in open networks and improving usability.

1. Network
Steganography
Techniques
Robert Waziak
IIT School of Applied
Technology

2. Steganography
Steganography is a term generally described as the
means of concealing secret information, so that an
uninformed party is unaware of its existence, and
extracting it at its destination.

3. Network Steganography
Network Steganography is the process of utilizing active
network protocols as carriers to transmit a covert
message, undetectable by a third party, from a host to its
destination.

4. Network Steganography
Techniques
Modification of packet delay:
The packets are held for an appropriate amount of time
on the sending system and the delay of which is
decoded on the receiving system.
Modification of packet content:
Any of the possible fields that can be altered without
affecting the arrival of the packet to its destination can
be utilized to place covert information.

5. What Were Our Goals?
Utilize and develop tools to perform different network
steganography techniques:
Packet Delay Steganography (Layer 3)
Packet Content Modification Steganography (Layer 3)
Packet Content Modification Steganography (Layers 4+)
Understand associated challenges
Record limitations from tested approaches
Gain insight / Lessons learned

6. What Have We Accomplished?
Successfully communicated between two PCs using three
different network steganography techniques:
Packet Delay Steganography (Timeshifter)
ICMP Packet Content Modification Steganography (Stegnet)
μTP Packet Content Modification Steganography (BitStegNet)
Researched potential higher level protocols:
TCP, UDP, μTP (Layer 4)
BitTorrent (Layer 7)
Researched higher level steganography techniques:
TCP (Covert_tcp [1])
BitTorrent (StegTorrent [2])

7. Network Steganography Tool
Classifications
Tool
Steganography
Method
Layer Protocol Carrier
Timeshifter Insertion 3 ICMP Packet delay
Stegnet Substitution 3 ICMP
ICMP header
(data field)
BitStegNet Substitution 4+ μTP
μTP header
(timestamp)

8. Timeshifter is a tool developed by ‘Anfractuosity.’
Modifies time delays of ping packets in order to send
information between two terminals within the same
computer. [1]
Timeshifter

9. Stegnet
Stegnet is a custom tool, written in the C language, that
is based on the structure and theory of Timeshifter.
Instead of delay modification (Timeshifter), Stegnet
modifies packet content.
Stegnet modifies ICMP packets by:
Capturing the packet from the NFQUEUE
Modifying the Data field with the text from a file
Recalculating the checksum with the new data
Releasing the packet to its destination

10. Theory Of Operation
Capture packets from a queue called NFQUEUE using
iptables to route them:
iptables -A OUTPUT -p icmp --icmp-type echo-request
-j NFQUEUE --queue-num 0
Modify captured packets and release them to the
network using the libnetfilter_queue library.

11. TransmitterReceiver
1
2
3
4
5
6
7
HELLO WORLD

12. Stegnet Limitations
ICMP echo-request / echo-reply (ping) packets could be
blocked by active network firewalls.
The string is sent as plaintext within the Data field and
therefore is a very weak and impractical method.
Embedded string is limited to only 48 bytes.

13. BitTorrent Protocol
BitTorrent is a peer-to-peer (P2P) protocol in which two
or more computers that are uploading or downloading
the same torrent transfer data amongst themselves
without the need of a central server. [4]
Why BitTorrent protocol?
Very common traffic over the internet
Peer-to-peer connections
Highly customizable clients
μTP has appealing header fields for hiding information

14. Alternate BitTorrent Network
Stacks
BitTorrent BitTorrent
TCP
μTP
UDP
IP IP
MAC MAC
PHY PHY

15. μTorrent Transport Protocol (μTP)
Header
From [5]:

16. qBitTorrent
Free, open and multiplatform torrent client built on top of
libtorrent.
Why qBitTorrent?
μTP capabilities
Tracker mode
Customizable port number
[6]

17. Lab Setup

18. BitStegNet
BitStegNet is directed towards modifying BitTorrent μTP
packet headers.
It follows the same structure as Timeshifter and Stegnet
with some differences:
Appropriate iptables rule to only forward BitTorrent traffic to
the NFQUEUE
Modified code to edit and interpret the μTP timestamp’s LSB
The tool has a capacity of 1 bit of stego information per
100 kb of clean information.

19. Timestamp’s LSB Substitution

20. Timestamp’s LSB Substitution

21. Timestamp’s LSB Substitution

22. Timestamp’s LSB Substitution

24. BitStegNet Steganalysis
BitTorrent traffic:
Around 3% of total internet traffic during peak hours.
Not suspicious our unexpected traffic.
Timestamp field of μTP header:
Microsecond resolution.
LSB can be considered almost random.
Common steganalysis scenario:
Sniffed traffic will only show up BitTorrent over μTP packets.
Only Chosen Stego and Known Stego attacks will work.
You will need to capture all packets to discover the transmission.

25. Analysis
Challenges
Moving packets instead of static files.
CRC and checksums.
Firewalls and IDSs.

26. Analysis
Challenges
Moving packets instead of static files.
CRC and checksums.
Firewalls and IDSs.
Limitations
Only tested on controlled environments.
Possible issues regarding packet order.
Capable of sending just text based messages.
libnetfilter_queue library only on Linux.

27. Analysis
Challenges
Moving packets instead of static files.
CRC and checksums.
Firewalls and IDSs.
Limitations
Only tested on controlled environments.
Possible issues regarding packet order.
Capable of sending just text based messages.
libnetfilter_queue library only on Linux.
Future work possibilities
Testing in open networks
Standalone program with GUI
Possibility to send any file

28. Summary
Using Timeshifter, we sent a covert message between
two PCs by modifying the delay ICMP packets.
We developed and tested Stegnet to send a covert
message between two PCs by modifying the data field of
ICMP packets.
We developed and tested BitStegNet to send a covert
message by modifying the timestamp of μTP packets.

29. BitStegNet Demonstration

30. Questions?

31. References
[1] https://www.anfractuosity.com/projects/timeshifter/
[2] http://www-scf.usc.edu/~csci530l/downloads/covert_tcp.c
[3] http://www.ieee-security.org/TC/SPW2013/papers/data/
[4] http://www.howtogeek.com/141257/htg-explains-how-does-bittorrent-
work/
[5] http://www.bittorrent.org/beps/bep_0029.html
[6] http://www.qbittorrent.org/