#
# Cctt - Covert Channel Tunneling Tool v0.1.7
# 09/06/2003
#
# This snort file was captured when a CCTT client asked a shell from
# a CCTT server. Have a look on the doc/confs/http_post2 files.
#

06/09-23:35:15.004247 127.0.0.1:1094 -> 127.0.0.1:7222
TCP TTL:60 TOS:0x0 ID:1644 IpLen:20 DgmLen:60 DF
******S* Seq: 0xE651E531  Ack: 0x0  Win: 0x7960  TcpLen: 40
TCP Options (5) => MSS: 3884 SackOK TS: 1041097 0 NOP WS: 0 
0x0000: 00 00 08 00 45 00 00 3C 06 6C 40 00 3C 06 3A 4E  ....E..<.l@.<.:N
0x0010: 7F 00 00 01 7F 00 00 01 04 46 1C 36 E6 51 E5 31  .........F.6.Q.1
0x0020: 00 00 00 00 A0 02 79 60 F8 53 00 00 02 04 0F 2C  ......y`.S.....,
0x0030: 04 02 08 0A 00 0F E2 C9 00 00 00 00 01 03 03 00  ................

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/09-23:35:15.004321 127.0.0.1:7222 -> 127.0.0.1:1094
TCP TTL:60 TOS:0x0 ID:1645 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0xE5DD3F5E  Ack: 0xE651E532  Win: 0x7960  TcpLen: 40
TCP Options (5) => MSS: 3884 SackOK TS: 1041097 1041097 NOP WS: 0 
0x0000: 00 00 08 00 45 00 00 3C 06 6D 40 00 3C 06 3A 4D  ....E..<.m@.<.:M
0x0010: 7F 00 00 01 7F 00 00 01 1C 36 04 46 E5 DD 3F 5E  .........6.F..?^
0x0020: E6 51 E5 32 A0 12 79 60 F0 2D 00 00 02 04 0F 2C  .Q.2..y`.-.....,
0x0030: 04 02 08 0A 00 0F E2 C9 00 0F E2 C9 01 03 03 00  ................

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/09-23:35:15.004350 127.0.0.1:1094 -> 127.0.0.1:7222
TCP TTL:60 TOS:0x0 ID:1646 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xE651E532  Ack: 0xE5DD3F5F  Win: 0x7960  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1041097 1041097 
0x0000: 00 00 08 00 45 00 00 34 06 6E 40 00 3C 06 3A 54  ....E..4.n@.<.:T
0x0010: 7F 00 00 01 7F 00 00 01 04 46 1C 36 E6 51 E5 32  .........F.6.Q.2
0x0020: E5 DD 3F 5F 80 10 79 60 28 6B 00 00 01 01 08 0A  ..?_..y`(k......
0x0030: 00 0F E2 C9 00 0F E2 C9                          ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/09-23:35:15.020163 127.0.0.1:1094 -> 127.0.0.1:7222
TCP TTL:60 TOS:0x0 ID:1647 IpLen:20 DgmLen:455 DF
***AP*** Seq: 0xE651E532  Ack: 0xE5DD3F5F  Win: 0x7960  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1041099 1041097 
0x0000: 00 00 08 00 45 00 01 C7 06 6F 40 00 3C 06 38 C0  ....E....o@.<.8.
0x0010: 7F 00 00 01 7F 00 00 01 04 46 1C 36 E6 51 E5 32  .........F.6.Q.2
0x0020: E5 DD 3F 5F 80 18 79 60 5C 93 00 00 01 01 08 0A  ..?_..y`\.......
0x0030: 00 0F E2 CB 00 0F E2 C9 50 4F 53 54 20 2F 73 65  ........POST /se
0x0040: 72 76 6C 65 74 2F 75 70 6C 6F 61 64 5F 64 61 74  rvlet/upload_dat
0x0050: 61 20 48 54 54 50 2F 31 2E 30 0A 48 6F 73 74 3A  a HTTP/1.0.Host:
0x0060: 20 63 63 74 74 2E 65 6E 74 72 65 65 6C 69 62 72   cctt.entreelibr
0x0070: 65 2E 63 6F 6D 0A 43 6F 6E 74 65 6E 74 2D 4C 65  e.com.Content-Le
0x0080: 6E 67 74 68 3A 20 32 39 36 0A 43 6F 6E 74 65 6E  ngth: 296.Conten
0x0090: 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D  t-Type: text/htm
0x00A0: 6C 0A 0A 49 20 61 6D 20 61 20 43 43 54 54 20 63  l..I am a CCTT c
0x00B0: 6C 69 65 6E 74 20 61 6E 64 20 49 20 61 6D 20 73  lient and I am s
0x00C0: 65 6E 64 69 6E 67 20 61 72 62 69 74 72 61 72 79  ending arbitrary
0x00D0: 20 64 61 74 41 73 69 6D 73 69 6D 31 33 32 35 30   datAsimsim13250
0x00E0: 33 36 49 66 20 79 6F 75 20 6C 6F 6F 6B 20 6F 6E  36If you look on
0x00F0: 20 77 68 61 74 27 73 20 70 72 65 76 69 6F 75 73   what's previous
0x0100: 2C 20 79 6F 75 27 6C 6C 20 6D 61 79 20 68 61 76  , you'll may hav
0x0110: 65 20 61 20 6C 6F 6F 6B 20 6F 6E 20 77 68 61 74  e a look on what
0x0120: 20 49 20 72 65 61 6C 6C 79 20 73 65 6E 64 65 64   I really sended
0x0130: 2E 0A 42 75 74 20 72 65 6D 65 6D 62 65 72 2C 20  ..But remember, 
0x0140: 74 68 65 73 65 20 61 72 62 69 74 72 61 72 79 20  these arbitrary 
0x0150: 64 61 74 61 73 20 63 6F 75 6C 64 20 68 61 76 65  datas could have
0x0160: 20 62 65 65 6E 20 65 6E 63 6F 64 65 64 20 61 6E   been encoded an
0x0170: 64 20 74 68 61 74 20 74 68 65 73 65 20 74 6F 70  d that these top
0x0180: 0A 61 6E 64 20 62 6F 74 74 6F 6D 20 70 61 64 64  .and bottom padd
0x0190: 69 6E 67 20 63 6F 75 6C 64 20 68 61 76 65 20 62  ing could have b
0x01A0: 65 65 6E 20 74 6F 70 20 61 6E 64 20 62 6F 74 74  een top and bott
0x01B0: 6F 6D 20 6F 66 20 61 6E 20 69 6D 61 67 65 20 66  om of an image f
0x01C0: 6F 72 20 65 78 61 6D 70 6C 65 20                 or example 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/09-23:35:15.020234 127.0.0.1:7222 -> 127.0.0.1:1094
TCP TTL:60 TOS:0x0 ID:1648 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xE5DD3F5F  Ack: 0xE651E6C5  Win: 0x77CD  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1041099 1041099 
0x0000: 00 00 08 00 45 00 00 34 06 70 40 00 3C 06 3A 52  ....E..4.p@.<.:R
0x0010: 7F 00 00 01 7F 00 00 01 1C 36 04 46 E5 DD 3F 5F  .........6.F..?_
0x0020: E6 51 E6 C5 80 10 77 CD 28 67 00 00 01 01 08 0A  .Q....w.(g......
0x0030: 00 0F E2 CB 00 0F E2 CB                          ........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/09-23:35:15.451336 127.0.0.1:7222 -> 127.0.0.1:1094
TCP TTL:60 TOS:0x0 ID:1649 IpLen:20 DgmLen:944 DF
***AP*** Seq: 0xE5DD3F5F  Ack: 0xE651E6C5  Win: 0x7960  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1041142 1041099 
0x0000: 00 00 08 00 45 00 03 B0 06 71 40 00 3C 06 36 D5  ....E....q@.<.6.
0x0010: 7F 00 00 01 7F 00 00 01 1C 36 04 46 E5 DD 3F 5F  .........6.F..?_
0x0020: E6 51 E6 C5 80 18 79 60 FB 53 00 00 01 01 08 0A  .Q....y`.S......
0x0030: 00 0F E2 F6 00 0F E2 CB 48 54 54 50 2F 31 2E 30  ........HTTP/1.0
0x0040: 20 32 30 30 20 4F 4B 0A 44 61 74 65 3A 20 4D 6F   200 OK.Date: Mo
0x0050: 6E 2C 20 39 20 4A 75 6E 65 20 32 30 30 33 20 31  n, 9 June 2003 1
0x0060: 32 3A 32 32 3A 32 38 20 47 4D 54 0A 53 65 72 76  2:22:28 GMT.Serv
0x0070: 65 72 3A 20 43 43 54 54 2D 30 2E 31 2E 37 0A 43  er: CCTT-0.1.7.C
0x0080: 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 37  ontent-Length: 7
0x0090: 37 36 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A  76.Content-Type:
0x00A0: 20 74 65 78 74 2F 68 74 6D 6C 0A 0A 3C 68 74 6D   text/html..<htm
0x00B0: 6C 3E 0A 0A 3C 68 65 61 64 3E 0A 20 20 3C 74 69  l>..<head>.  <ti
0x00C0: 74 6C 65 3E 43 43 54 54 20 2D 20 43 6F 76 65 72  tle>CCTT - Cover
0x00D0: 74 20 43 68 61 6E 6E 65 6C 20 54 75 6E 6E 65 6C  t Channel Tunnel
0x00E0: 69 6E 67 20 54 6F 6F 6C 3C 2F 74 69 74 6C 65 3E  ing Tool</title>
0x00F0: 0A 3C 2F 68 65 61 64 3E 0A 0A 3C 62 6F 64 79 3E  .</head>..<body>
0x0100: 0A 0A 3C 21 2D 2D 20 46 69 72 73 74 20 50 61 72  ..<!-- First Par
0x0110: 74 20 2F 2F 2D 2D 3E 0A 3C 63 65 6E 74 65 72 3E  t //-->.<center>
0x0120: 54 68 69 73 20 69 73 20 61 6E 20 65 72 72 6F 72  This is an error
0x0130: 20 70 61 67 65 20 67 65 6E 65 72 61 74 65 64 20   page generated 
0x0140: 62 79 20 61 20 43 43 54 54 20 73 65 72 76 65 72  by a CCTT server
0x0150: 20 69 6E 20 48 54 54 50 20 6D 6F 64 65 2E 3C 2F   in HTTP mode.</
0x0160: 63 65 6E 74 65 72 3E 0A 3C 62 72 3E 0A 54 68 69  center>.<br>.Thi
0x0170: 73 20 65 72 72 6F 72 20 70 61 67 65 20 69 73 20  s error page is 
0x0180: 67 65 6E 65 72 61 74 65 64 20 69 66 20 74 68 65  generated if the
0x0190: 20 63 6C 69 65 6E 74 20 64 6F 65 73 6E 27 74 20   client doesn't 
0x01A0: 73 65 6E 64 20 74 68 65 20 67 6F 6F 64 20 55 52  send the good UR
0x01B0: 49 20 6E 6F 72 20 64 6F 65 73 6E 27 74 20 73 65  I nor doesn't se
0x01C0: 6E 64 20 61 75 74 68 6F 72 69 7A 65 64 20 63 72  nd authorized cr
0x01D0: 65 64 65 6E 74 69 61 6C 73 20 61 6E 64 20 69 73  edentials and is
0x01E0: 20 62 75 69 6C 64 65 64 20 6F 6E 20 74 68 72 65   builded on thre
0x01F0: 65 20 64 69 73 74 69 6E 63 74 20 70 61 72 74 73  e distinct parts
0x0200: 2E 20 54 68 65 20 66 69 72 73 74 20 70 61 72 74  . The first part
0x0210: 20 69 73 20 61 64 64 65 64 20 61 74 20 74 68 65   is added at the
0x0220: 20 74 6F 70 20 6F 66 20 61 72 62 69 74 72 61 72   top of arbitrar
0x0230: 79 20 64 61 74 61 73 2E 20 54 68 65 20 73 65 63  y datas. The sec
0x0240: 6F 6E 64 20 70 61 72 74 20 49 53 20 74 68 65 20  ond part IS the 
0x0250: 61 72 62 69 74 72 61 72 79 20 64 61 74 61 20 61  arbitrary data a
0x0260: 6E 64 20 74 68 65 20 74 68 69 72 64 20 70 61 72  nd the third par
0x0270: 74 20 69 73 20 61 64 64 65 64 20 61 74 20 74 68  t is added at th
0x0280: 65 20 62 6F 74 74 6F 6D 20 6F 66 20 61 72 62 69  e bottom of arbi
0x0290: 74 72 61 72 79 20 64 61 74 61 73 2E 3C 62 72 3E  trary datas.<br>
0x02A0: 0A 3C 62 72 3E 0A 3C 21 2D 2D 20 42 65 67 69 6E  .<br>.<!-- Begin
0x02B0: 20 53 65 63 6F 6E 64 20 50 61 72 74 20 2F 2F 2D   Second Part //-
0x02C0: 2D 3E 20 3C 21 2D 2D 62 61 73 68 3A 20 6E 6F 20  -> <!--bash: no 
0x02D0: 6A 6F 62 20 63 6F 6E 74 72 6F 6C 20 69 6E 20 74  job control in t
0x02E0: 68 69 73 20 73 68 65 6C 6C 0A 20 2F 2F 2D 2D 3E  his shell. //-->
0x02F0: 20 3C 21 2D 2D 20 45 6E 64 20 53 65 63 6F 6E 64   <!-- End Second
0x0300: 20 50 61 72 74 20 2F 2F 2D 2D 3E 0A 0A 3C 21 2D   Part //-->..<!-
0x0310: 2D 20 42 65 67 69 6E 20 54 68 69 72 64 20 50 61  - Begin Third Pa
0x0320: 72 74 20 2F 2F 2D 2D 3E 0A 3C 62 72 3E 0A 4E 6F  rt //-->.<br>.No
0x0330: 74 65 20 74 68 61 74 20 79 6F 75 20 63 6F 75 6C  te that you coul
0x0340: 64 20 68 61 76 65 20 75 73 65 64 20 74 68 65 73  d have used thes
0x0350: 65 20 74 6F 70 20 61 6E 64 20 62 6F 74 74 6F 6D  e top and bottom
0x0360: 20 70 61 72 74 73 20 74 6F 20 65 6D 62 65 65 64   parts to embeed
0x0370: 20 64 61 74 61 20 69 6E 74 6F 20 61 6E 20 69 6D   data into an im
0x0380: 61 67 65 2E 2E 2E 3C 62 72 3E 0A 3C 21 2D 2D 20  age...<br>.<!-- 
0x0390: 45 6E 64 20 54 68 69 72 64 20 50 61 72 74 20 2F  End Third Part /
0x03A0: 2F 2D 2D 3E 0A 3C 2F 62 6F 64 79 3E 0A 3C 2F 68  /-->.</body>.</h
0x03B0: 74 6D 6C 3E                                      tml>