{"id":21928615,"url":"https://github.com/nuvious/quicc","last_synced_at":"2025-10-09T17:32:13.249Z","repository":{"id":247851749,"uuid":"826066171","full_name":"nuvious/QuiCC","owner":"nuvious","description":"A covert channel demonstration using the Connection ID header in the quic protocol.","archived":false,"fork":false,"pushed_at":"2025-01-15T21:15:49.000Z","size":28930,"stargazers_count":4,"open_issues_count":11,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-18T21:39:40.948Z","etag":null,"topics":["covert-channel","cybersecurity","cybersecurity-tool","decryption","encryption","encryption-decryption","quic"],"latest_commit_sha":null,"homepage":"","language":"Jupyter Notebook","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nuvious.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-09T03:43:47.000Z","updated_at":"2025-01-15T21:15:51.000Z","dependencies_parsed_at":"2024-07-15T08:28:40.020Z","dependency_job_id":"d5025c7c-6793-48e7-ba7f-f01f255b23a0","html_url":"https://github.com/nuvious/QuiCC","commit_stats":null,"previous_names":["nuvious/quicc"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nuvious%2FQuiCC","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nuvious%2FQuiCC/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nuvious%2FQuiCC/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nuvious%2FQuiCC/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nuvious","download_url":"https://codeload.github.com/nuvious/QuiCC/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":235843590,"owners_count":19054013,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["covert-channel","cybersecurity","cybersecurity-tool","decryption","encryption","encryption-decryption","quic"],"created_at":"2024-11-28T22:27:08.061Z","updated_at":"2025-10-09T17:32:13.229Z","avatar_url":"https://github.com/nuvious.png","language":"Jupyter Notebook","funding_links":[],"categories":[],"sub_categories":[],"readme":"# QuiCC Covert Channel Demo\r\n\r\n## Overview\r\n\r\nCovert channels are means of transmitting information in a clandestine way that\r\nare not observable by a passive warden and are resistant to intercept or\r\ndisruption by an active warden.\r\n\r\nThis covert channel is implemented using the quic protocol defined by\r\n[RFC 9000](https://datatracker.ietf.org/doc/html/rfc9000) and\r\n[RFC 9369](https://datatracker.ietf.org/doc/html/rfc9369/) by exploiting high\r\nentropy header fields. In this implementation the connection id field is\r\nspecifically targeted with future work to utilize other high-entropy header\r\nfields.\r\n\r\n## Video Demonstration\r\n\r\n### ShmooCon 2025 Talk - On Covert Channels using Quic Protocol Headers\r\n\r\n[![ShmooCon 2025 Build It! - On Covert Channels using Quic Protocol Headers](assets/shmoocon_youtube_thumbnail.png)](https://www.youtube.com/watch?v=JnbYzd9nriw)\r\n\r\n### Initial Video Demonstration Jul, 2024\r\n\r\n[![QuiCC - A covert channel based on the quic protocol.](https://img.youtube.com/vi/5oHfefoECCE/0.jpg)](https://www.youtube.com/watch?v=5oHfefoECCE)\r\n\r\nNOTE: In the above demo the RSA bit strength is set to 1024. This was done only\r\nto speed up implementation and debugging execution during development of the\r\nproject. The implementation at time of writing [defaults to 4096 bit RSA](https://github.com/nuvious/aioquic/blob/fe7c293e1822babcc7fcafbb7658e145d9cc02dd/src/aioquic/quic/connection.py#L118).\r\n\r\n## Running in Docker\r\n\r\nFirst build the container:\r\n\r\n```bash\r\nsudo docker build -t quicc .\r\n```\r\n\r\nNext create a network:\r\n\r\n```bash\r\nsudo docker network create quicc\r\n```\r\n\r\nNext run the server:\r\n\r\n```bash\r\nsudo docker run --rm -it --name quicc --network quicc quicc \\\r\n  python3 http3_cc_server.py \\\r\n  --certificate aioquic/tests/ssl_cert.pem \\\r\n  --private-key aioquic/tests/ssl_key.pem\r\n```\r\n\r\nFinally run the client:\r\n\r\n```bash\r\nsudo docker run --rm -it --network quicc quicc \\\r\n  python3 http3_cc_client.py \\\r\n  --ca-certs aioquic/tests/pycacert.pem \\\r\n  wss://quicc:4433/ws\r\n```\r\n\r\n### Clone the repository and initialize submodules\r\n\r\n```bash\r\ngit clone --recurse-submodules https://github.com/nuvious/QuiCC.git\r\ncd QuiCC\r\n```\r\n\r\n### Install Requirements\r\n\r\nFor the HTTP server and client examples provided by the aioquic library, the\r\nrequirements are not included in the package dependencies so we have to install\r\nthem manually.\r\n\r\n```bash\r\nsudo apt install build-essential libssl-dev python3-dev\r\npip3 install aioquic/ dnslib jinja2 starlette wsproto\r\n```\r\n\r\n### Start the server\r\n\r\n```bash\r\npython3 http3_cc_server.py \\\r\n  --certificate aioquic/tests/ssl_cert.pem \\\r\n  --private-key aioquic/tests/ssl_key.pem\r\n```\r\n\r\n### Start the client\r\n\r\n```bash\r\npython3 http3_cc_client.py \\\r\n  --ca-certs aioquic/tests/pycacert.pem \\\r\n  wss://localhost:4433/ws\r\n```\r\n\r\nNOTE: If running the client and server on separate hosts, replace `localhost`\r\nwith the DNS entry; in this example `quicc.local`.\r\n\r\n### Send commands\r\n\r\nOn both the client and server you should be presented with this prompt:\r\n\r\n```bash\r\nWelcome to the QuiCC console.\r\nEnter 'm:[MESSAGE]' to send a message.\r\nEnter 'c:[COMMAND]' to send a remote command.\r\nEnter 'f:[FILE]' to send a file.\r\nEnter 'k' to send a keepalive message to recieve responses.\r\nEnter 'q' to quit.\r\nEnter your command:\r\n```\r\n\r\n### Send a message\r\n\r\nTyping a command `m:hi` should produce the following output on the server\r\nlogs:\r\n\r\n```bash\r\n2024-07-12 01:06:01,587 INFO quic RECEIVED MESSAGE: b'hi'\r\n```\r\n\r\n### Send a file\r\n\r\nTyping a command `f:test_file.txt` should result in the following output on the\r\nserver logs:\r\n\r\n```bash\r\nRECEIVED FILE SAVED TO: ::ffff:127.0.0.1-message-1.bin\r\n```\r\n\r\nThe `::ffff:127.0.0.1-message-1.bin` should hold the contents of test_file.txt\r\n\r\n### Send a remote command\r\n\r\nTyping a command `c:whoami` should result in the following output on the\r\nserver logs:\r\n\r\n```bash\r\n2024-07-12 01:11:09,287 INFO quic RECEIVED COMMAND: b'whoami'\r\n```\r\n\r\nAt this point stdout and stderr will be queued to be sent back but we need\r\nto send requests to get CIDs sto decrypt the output. To do this simply use\r\nthe command `k` and a keep-alive message will be sent and the result of\r\nthe command should appear in the client logs:\r\n\r\n```bash\r\n2024-07-12 01:12:44,387 INFO quic RECEIVED MESSAGE: b':nuvious\\n\\n\\n0'\r\n```\r\n\r\n## Running on separate hosts\r\n\r\nIf you're running the server on a separate machine, you'll need to change out\r\nthe example key and cert used by the server to ones that match your server\r\nhost domain. You'll need to add a entry to the dns record for the ip used; in this\r\ncase I used `quicc.local`.\r\n\r\nOn the server run the below in the root of the project:\r\n\r\n```bash\r\nopenssl genrsa -out ca-key.pem 4096\r\nopenssl req -new -x509 -days 365 -key ca-key.pem -out aioquic/tests/pycacert.pem -subj '/CN=QuiCCA'\r\nopenssl genrsa -out aioquic/tests/ssl_key.pem 4096\r\nopenssl req -new -key aioquic/tests/ssl_key.pem -out csr.pem -subj '/CN=quicc.local' -nodes\r\nopenssl x509 -req -in csr.pem -out aioquic/tests/ssl_cert.pem \\\r\n    -CA aioquic/tests/pycacert.pem -CAkey ca-key.pem -CAcreateserial -days 3650 \\\r\n  -extfile \u003c(printf \"subjectAltName=DNS:quicc.local\\nkeyUsage=digitalSignature,keyEncipherment\\nextendedKeyUsage=serverAuth,clientAuth\\nbasicConstraints=CA:FALSE\\nsubjectKeyIdentifier=hash\\nauthorityKeyIdentifier=keyid,issuer\\nauthorityInfoAccess=caIssuers;URI:http://testca.pythontest.net/testca/pycacert.cer,OCSP;URI:http://testca.pythontest.net/testca/ocsp/\\ncrlDistributionPoints=URI:http://testca.pythontest.net/testca/revocation.crl\")\r\n```\r\n\r\nYou'll then need to copy over the `pycacert.pem` and replace the\r\n`aioquic/tests/pycacert.pem` file with it on the client machine.\r\n\r\n## Known Issues\r\n\r\nKnown issues for this implementation of the covert channel are documented in\r\nthe Github Issues section of this repository. If you find a vulnerability in\r\nthis project related to intercept, disruption or denial of service that may\r\nbe mitigated, feel free to open up an issue and/or contribute to the project.\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnuvious%2Fquicc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnuvious%2Fquicc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnuvious%2Fquicc/lists"}