Mistica: embed data into application layer protocol fields

Mistica

Mística is a tool that allows us to embed data into application layer protocol fields, with the goal of establishing a bi-directional channel for arbitrary communications. Currently, encapsulation into HTTP, DNS, and ICMP protocols have been implemented, but more protocols are expected to be introduced in the near future.

Mística has a modular design, built around a custom transport protocol, called SOTP: Simple Overlay Transport Protocol. Data is encrypted, chunked, and put into SOTP packets. SOTP packets are encoded and embedded into the desired field of the application protocol and sent to the other end.

The goal of the SOTP layer is to offer a generic binary transport protocol, with minimal overhead. SOTP packets can be easily hidden or embedded into legitimate application protocols. Also, SOTP makes sure that packets are received by the other end, encrypts the data using RC4 (this may change in the future), and makes sure that information can flow in both ways transparently, by using a polling mechanism.

Modules interact with the SOTP layer for different purposes:

• Wrap modules or Wrappers: These modules encode/decode SOTP packets from/into application layer protocols
• Overlay modules: These Modules communicate over the SOTP channel. Examples are io redirection (like netcat), shell (command execution), port forwarding…

Wrapper and overlay modules work together in order to build custom applications, e.g input redirection over DNS or remote port forwarding over HTTP.

Mística’s modular design allows for the easy development of new modules. Also, the user can easily fork current modules in order to use some custom field or encoding or modify the behavior of an overlay module.

There are two main pieces of software:

• Mística server (ms.py): Uses modules that act as the server of the desired application layer protocol (HTTP, DNS, ICMP…). It is also designed in a way that will allow for multiple servers, wrappers, and overlays to be run at the same time, with just one instance of ms.py, although this feature is not fully implemented yet.
• Mística client (mc.py): Uses modules that act as the client of the desired application layer protocol (HTTP, DNS, ICMP…). It can only use one overlay and one wrapper at the same time.

Current modules

Overlay modules:

• io: Reads from stdin, sends through SOTP connection. Reads from SOTP connection, prints to stdout
• shell: Executes commands received through the SOTP connection and returns the output. Compatible with the io module.
• tcpconnect: Connects to TCP port. Reads from the socket, send through the SOTP connection. Reads from the SOTP connection sends through the socket.
• tcplisten: Binds to TCP port. Reads from the socket, send through the SOTP connection. Reads from the SOTP connection sends through socket.

Wrap modules:

• dns: Encodes/Decodes data in DNS queries/responses using different methods
• http: Encodes/Decodes data in HTTP requests/responses using different methods
• icmp: Encodes/Decodes data in ICMP echo requests/responses on data section

Install && Use

Copyright (c) 2020 Carlos Fernández Sánchez and Raúl Caro Teixidó.