Kill Packet

Published: Sun 24 February 2013

This post explores a hypothetical case where one has volatile data on a remote machine that needs to be removed as fast and as discretely as possible without having to open up a laptop and log in via SSH, an SFTP/FTP browser etc.

Rather, this post assumes it would be more convenient to just hit a single button on your phone or click a single icon that sends a network packet to the server, triggering a script that proceeds to delete your data and/or back it up to another trusted server.

This is just a quick sketch and so I’m eschewing questions of security. Indeed the whole thing could be done over SSL and improved here and there. There could be a deletion routine for the scripts themselves, EXT3/4 journal cleaning and a reboot routine also.

Regardless, by the time someone snooping on the network sees the payload of the packet go out, it will be too late - the data is already being deleted. In the case access to the Internet gateway is blocked there is still little risk; there’s no way of someone sniffing traffic knowing which data you want to delete on the server itself. Rather, the packet will just appear to contain an anomalous payload. If they send that same payload to your server, then they finish the job for you..

To begin. First we need to establish which data you want to delete.

Log into your server via SSH and install the program socat (assumes Debian GNU/Linux based OS):

            apt-get update
            apt-get install socat

Now create a script, defining what you want to delete. Define also data you want to copy to another server:

            #!/bin/sh
            # remote-kill.sh

            # Use dummy directories while testing!
            DELETEDIRS='/var/log/* /home/user/Mail/blackbox'
            COPYDIRS='/home/user/leaks /home/user/volatile'
            KILLSIG=$1

            # KILLSIG is sent by the client
            if [ "$KILLSIG" = "809ca09affjakkj1pa8" ];
                then
                    rm -fr $DELETEDIRS & # background so we can start copying
                    tar cvzf leaks.tar.gz $COPYDIRS &&
                    # SCP would run inside an ssh-agent with keys for a user on a remote
                    # host that has restricted priveleges
                    scp leaks.tar.gz backup@my-backup-server.org:. &&
                    # Delete the leaks and ssh-keys for the backup server
                    rm -fr leaks.tar.gz $COPYDIRS
                    rm -f /home/user/.ssh/backup.rsa
            fi

Save the out the script as remote-kill.sh, copy it to /root and make it executable:

            chmod +x remote-kill.sh; cp remote-kill.sh /root

Now, as root on the server, set up the ssh-agent and run the socat listener:

            ssh-agent bash
            # Define SSH keys here for login on remote backup host
            ssh-add /root/.ssh/backup.rsa
            # Run socat on port 1337. Because you can and it's still funny.
            # You could run it on a non-firewalled port like 443, also.
            # Assuming you don't need it for anything else on this
            # particular host (unlikely)

            while true; do socat -u TCP4-LISTEN:1337 STDIO | ./remote-kill.sh `tee`,nofork; sleep 1; done

Install socat onto your client machine (just as you did above) and write a kill script that will send out the packet:

            #!/bin/sh
            # client-kill.sh

            KILLSIG='809ca09affjakkj1pa8'
            echo $KILLSIG | socat - TCP4:my-server.com:1337 && echo "Packet sent. Deletion underway.."

Write out this script as client-kill.sh, save it onto your desktop and make it executable so you can simply double-click it:

            cd ~/Desktop
            chmod +x client-kill.sh

Have fun and remember to use dummy directories when testing!

Affiliated