Have you looked at Paros or Burp Suite?

Thanks guys, I'll take a look through those.  I guess what we are trying to test is the following...

• Malicious software gets on victim system.
  
• Victim doesn't know and software is not exhibiting any strange behavior so scanners and IDS are not picking it up.
  
  • Software needs to get out to internet - oh snap authenticating proxy what shall I do???
    
  • oh hey, you have an active IE session open already, can I borrow that?  Thanks!
    
  And boom goes the dynamite.  Now given if the above is possible our next challenge is how can we detect such traffic?  I will fiddle around with Burp/Paros as well, either way they look like fun.  Sadly Gray-world is blocked here, but I can take a look at that later at home.

I have an idea.

Imagine a rogue addon in your browser (e.g. FireFox), which sends off data to a remote (unauthorized) 3rd party, every time you log into a website, etc. (This has been seen before.)

Another scenario could be that malware had altered the browser, so that not only would you be able to browse websites, but e.g., a trojan would simultaneously send traffic across the session being in use (or just re-using logins whenever it finds one if possible and one-time tokens are not in use).

In a simple case, the unauthorized traffic could go through via "xmlrpc".

Ettercap has the functionality to inject data into a stream, but I haven't really tested this, but there's a button you can try  (It's when you perform Man in the Middle attacks.

But in theory yes it's possible. But there's several layers this could occur on, ranging from the physical level (well, almost), and onto the application layer (the web browser, and yes I'm referring to the OSI model  )

I don't have any practical examples for you to try out though.

No problem, and nice ideas you're bouncing around You should know, that some companies filter all outgoing ICMP and DNS traffic, so it has to pass by a proxy server first, while some companies, blindly lets all DNS and ICMP traffic through.

What can you use these open and unprotected data tunnels for?

Trojan data of course! (During an ethical pentest assignment that is hehe)

Most covert channels via ICMP, seems to be using almost standard headers but instead of the usual contents, it's actual data inside! The ICMP channel often seems to work with ICMP ECHO and REPLY messages, which can probably even contain CRC values, etc. making the data transfer somewhat reliable.

Covert DNS Channels, uses subdomain wildcards and a DNS server out on the Internet to relay traffic back and forth. It's also a brilliant example of covert channels.

I definitely recommend taking a few looks at the resources I've gathered below.

Update: Oh yeah, I forgot to mention that some SPI (Stateful Packet Inspection) firewalls, will most likely drop this kind of traffic. Still, even if the target company does have a firewall that supports this feature, it may not be turned on or configured correctly.


Resources:
http://www.coresec.org/2011/04/21/reverse-connection-using-icmp-shell/
http://tourdot.fr/venik
http://caia.swin.edu.au/cv/szander/cc/cc-implementations-bib.html
http://www.securityfocus.com/tools/category/97

Take a look at Joanna Rutkowska's Nushu, it's closer to what you want:

http://invisiblethings.org/code.html