Home

This utility was used as part of a presentation I made at CISCon 2011. It
allows the creation of an otherwise normal TCP connection between two
firewalled clients. Moreover, it offers a working example of using DNS for
command and control messaging.

A firewalled client is able to create a TCP connection with the outside world
because the initiating packet (SYN) pokes a limited hole in the firewall
protecting the client. The firewall is then expecting and will allow a
response from whatever peer the client was attempting to reach (SYN/ACK).
Once the client accepts that response and completes the handshake (ACK), the
firewall will allow data to flow between the two hosts in either direction.

The reason two firewalled clients aren't normally able to create a TCP
connection is that their respective firewalls are configured to drop the
other's initial requests (SYN packets). However, even though the remote peer's
firewall drops the initial SYN, the local client's firewall will still accept
a response (SYN/ACK) from the remote peer.

CCH leverages this by ignoring the fact that the initial requests aren't
received and responding anyway. This requires a fair amount of out-of-band
coordination between the two peers but DNS can be used to provide this.

Once those coordinated responses are received, each of the clients' firewall
behaves as if their peer has just initiated a perfectly normal TCP connection.
This allows, as one would expect, full communication between the two entirely
firewalled clients.