Mastering Covert Channels to Become Invisible
When attackers tunnel covert channels through trusted infrastructure - like Cloudflare protected DNS-over-HTTPS or multimedia platforms - they bypass even the most hardened Fortinet and Checkpoint deployments.
The result?
✅ No alerts.
✅ No visibility.
✅ No suspicion - just normal-looking traffic.
Here’s a curated list of tools and techniques that make this possible. Each leverages covert channel methods - some obscure, some highly advanced - to exfiltrate data or communicate with C2 infrastructure right under defenders’ noses.
🔧 Kernel & Driver-Level Covert Channels
1. 🧬 cat-soup
➡️ eBPF-based Linux rootkit. Exfiltrates via kernel-level system call hijacking.
GitHub: https://github.com/chumachok/cat-soup
2. 🕓 NTPTunnel
➡️ Tunnels C2 over Network Time Protocol (NTP) messages. Low visibility.
GitHub: https://github.com/ricklahaye/NTPTunnel
3. 📡 NetworkCovertChannels
➡️ Protocol-hopping, protocol-switching, and active warden evasion techniques. Research-grade suite.
GitHub: https://github.com/cdpxe/NetworkCovertChannels/tree/master
🧬 Protocol Steganography
4. 📜 x509
➡️ Encodes data in TLS certificates (X.509 extensions). Invisible during HTTPS handshakes.
GitHub: https://github.com/ProbieK/x509
5. 🌐 IPv6-Attacks-and-Covert-Channels
➡️ Covert data in IPv6 extension headers, flow labels, and options.
GitHub: https://github.com/n3m351d4/IPv6-Attacks-and-Covert-Channels
6. 📘 IPv6teal
➡️ Exfiltration using IPv6 Destination Options and Hop-by-Hop headers.
GitHub: https://github.com/christophetd/IPv6teal
7. 🧬 DNSExfiltrator
➡️ Hides data in DNS requests (labels, TTLs, responses). Works with DNS-over-HTTPS.
GitHub: https://github.com/Arno0x/DNSExfiltrator
8. 🌐 WebDavDelivery
➡️ Uses HTTP WebDAV methods (PROPFIND) to deliver payloads via XML fields.
GitHub: https://github.com/Arno0x/WebDavDelivery
9. 📡 pingtransfer
➡️ Covert ICMP tunnel. Hides payloads in ping echo/reply packets.
GitHub: https://github.com/yilmi/pingtransfer
10. 🔧 Simple Packet Sender
➡️ Craft custom raw packets. Great for prototyping covert headers or timing channels.
Website: https://sites.google.com/site/simplepacketsender/
📶 Wireless & Network Tunneling
11. 📡 GhostTunnel-Go
➡️ Covert Wi-Fi C2 using 802.11 management frames. Cross-platform.
GitHub: https://github.com/AmyangXYZ/GhostTunnel-Go
12. 👻 GhostTunnel (C/C++)
➡️ Native implementation for stealthy layer-2 exfiltration over Wi-Fi.
GitHub: https://github.com/PegasusLab/GhostTunnel
13. 📶 WiFi_CCC
➡️ Chat-style covert channel using SSID beacon timing.
GitHub: https://github.com/yadox666/WiFi_CCC/tree/master
14. 🔁 WiFi_Reconnection_CovertChannel
➡️ Encodes bits via reconnection timing to APs.
GitHub: https://github.com/NIoSaT/WiFi_Reconnection_CovertChannel
🎧 Cloud & Multimedia Channels
15. 🎥 covert-tube
➡️ Encodes C2 data in YouTube video descriptions, metadata, or frames.
GitHub: https://github.com/ricardojoserf/covert-tube
16. 🎵 Pileus
➡️ SoundCloud-based C2 using steganography in audio tracks.
GitHub: https://github.com/Bojak4616/Pileus
🛡️ Detection & Research
17. 🔍 nefias
➡️ Network anomaly detection engine focused on detecting covert and stego channels.
GitHub: https://github.com/cdpxe/nefias
18. 📚 Research – “Covert Channels in IPv6” (Lucena et al.)
➡️ Landmark academic paper on IPv6 covert channel design.
PDF: https://link.springer.com/content/pdf/10.1007/11767831_10.pdf
19. 📚 ACM Covert Channel Paper
➡️ Early formalization of covert channel classification.
PDF: https://dl.acm.org/doi/pdf/10.1145/2018436.2018518
⚔️ Defensive Takeaways
- 🔁 Covert channels span all OSI layers: From layer 2 (Wi-Fi beacons) to layer 7 (TLS x509, DNS).
- ☁️ Trusted cloud services are abused: DNS-over-HTTPS, YouTube, SoundCloud, etc.
- 📊 Anomaly-based detection works: Tools like nefias use statistical header and timing analysis.
- 🧼 Protocol normalization: Strip or rewrite optional headers to disrupt steganographic channels.