This software was part of the dissertation that I presented the 04/07/2011 for the master degree in computer engineering under the title “Steganography over SIP/RTP protocols”. The work was conducted under the supervision of professor Luigi Ciminiera at the Politecnico di Torino.
StegoSIP covers an IP tunnel into SIP/RTP protocol using LSB and LACK steganographic methods. The hidden channel is a point-to-point IP tunnel between the two peers communicating via the SIP call.
Install the required dependencies.
$ sudo apt-get install nfqueue-bindings-python python-dpkt
Download StegoSIP in both endpoints PC-Alice and PC-Bob. Make sure to specify the tunnel IP addresses of the two endpoints as shown below.
# On PC-Alice $ gedit stegosip.conf # set Alice IP option address as 10.0.0.1
# On PC-Bob $ gedit stegosip.conf # set Bob IP address as 10.0.0.2
Start StegoSIP in Alice and Bob hosts
# On PC-Alice $ sudo ./stegosip.py
# On PC-Bob $ sudo ./stegosip.py
StegoSIP starts inspecting the SIP traffic on the machines waiting for inbound or outbound SIP calls. When it detects a RTP stream, it would raise a stego0 network interface in both endpoints which can be used as a private hidden network between the peers.
The software is SIP client agnostic, but has been tested with Ekiga. Find below a commented example of an outgoing call from PC-Alice to PC-Bob which is used to establish the covert channel.
# PC-Alice. # The command must be run on PC-Bob as well. $ sudo ./stegosip.py # Load filter to incercept incoming and outgoing SIP calls [SIP] added dissector and netfilter rules on udp 5060 ports. # Outgoing-call between alice and bob intercepted [SIP] [OUTGOING-CALL:647604] email@example.com->firstname.lastname@example.org [SIP] [OUTGOING-CALL-ESTAB:647604] email@example.com->firstname.lastname@example.org # Extract RTP port and other parameters from collected SDP [SDP] local: 192.168.1.3:5072 remote:192.168.1.4:5076 # Load filter to intercept RTP connection [RTP] added dissector and netfilter rules on udp 5072<->5076 ports. # Starting stego0 interface with ip 10.0.0.1 [TUN] Started Interface stego0 up 10.0.0.1 netmask 255.255.255.0 mtu 1392 # Module to inject and extract data from tunnel loaded. [RTP] Injector 'LACK' module loaded
Alice and Bob can now communicate using 10.0.0.1 and 10.0.0.2 hosts.
# PC-Alice $ ping 10.0.0.2 PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_req=1 ttl=64 time=50.1 ms 64 bytes from 10.0.0.2: icmp_req=2 ttl=64 time=58.7 ms ...