BHIS | Modern C2 and Data Exfiltration w/ Kyle Avery (1-Hour)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

the broadcast is now starting all attendees are in listen only mode that's fantastic jason fans amazing all right everybody if you're watching right now this is not the webcast the webcast will begin in 30 minutes if you are watching the recording feel free to fast forward 30 minutes uh this is the beginning of the webcast uh this is our tribute today to john hammond a pioneer man who thought he could bring back dinosaurs and he did that's great that's great and i i hate the meme where people talk about how you did all the you know john hammond did all those things but only hired one it person that's not true when you read the book there's like an entire team of it people they only sent one person to the island to up do the update so you couldn't send them all and that and you all know in i.t because just from experience that that is the worst guy in the company so how do you feel about going out to an island off of costa rica to do this is it going to be a beach no no not really really it's is there like a luau or food nah nah they they they sent the most expendable i.t guy they had newman yeah john hammond here john i'm here i'm here right they look awful yeah john what happened if you couldn't really let go these days the only thing we can do to improve this is if you go down to webcam go to preferences switch the 16x9 so at least you have the same amount of real estate as the rest of us don't do it man they're trying to make you look wider [Laughter] all right everybody if you're here early thanks for being here early we show up early because you show up early you show up early cause we show up early it's a vicious cycle uh we have a full house with us today we have a lot of people a lot of people because apparently this is the last webcast of 2021 that we're going to do for black hills information security uh i don't even know what the tally is right now but i'm going to go look i think it's in the 400s or something now wait a minute does that include the 24-hour pre-show of atricon because that should be we got a ton of four-hour free sessions we did for active counter measures uh for like network threat hunting we had the 24-hour pre-show banter con i thought i did a four-hour session on cyber deception or maybe that's coming up or maybe that was three years ago a couple years ago 500 i think it's going to be close to four 483 i think well that's not concluding well with sacrifice though no that doesn't include that doesn't include that doesn't include wildlife hacking fest does it and there was how you can ask the trainings all the trainings the hacking cast that's just disappointing then nothing no ryan has all of this on a hard drive just one thing spinning there just nothing at yeah and his internet sucks so bad at his house that he's got to take that hard drive to like a days in to sit in the park wireless network to upload it oh i've already i've already told him we're going to meet up and do a sneaker net and i'm going to bring it to the data center here and get it up you know to the cloud don't we have an office in florida now like a we work space i approved that like months ago we haven't found a good one yet oh yeah we need one with scary fast internet gary and so uh if you're here thanks for being here if you've been here all year long thanks for being here all year long today is your first webcast because you saw this thing that we did on monday on low log forge log 4j hot debate right now i keep it on giving honestly i think you just scared a hundred people right there just by saying numbers are going down so if you're here for the first time uh this is not the webcast it begins soon uh and also if you're here for the first time and maybe you got the time zones messed up you haven't missed anything yet so you have nothing value at all that was correct uh we do have john hammond here with us for the very first time and thank you so much for joining us john uh john john blowing your standards and slumming with us man thanks for letting me come hang out this is the party place guys there's a guy that should be in the running for a webby and we got jason dancing with his cat so welcome good to be here we're doing everything we can to make sure that kyle's not nervous because we got like a thousand people coming and he's been throwing up all morning [Laughter] you can't think of it as a thousand people you just gotta think of it as uh like a lot of people like a number so big you couldn't count if you were in a room with all of them you you'd get it wrong that's better that's the way i like to think of it and i mean by the way don't ever look at like when you're presenting imagine a thousand like key people naked that's why did you go there oh well things happen let us be like other webcasts everyone be silent for the next 24 minutes yeah i still think we need elevator music would it be like smooth jazz or would it be some like hey maybe trance techno hacker thing you got bluegrass banjo's going in the background what are you thinking i like the bluegrass i like the bluegrass technology yeah like instead of smooth jazz it's like you know my guitar wants to kill your mama or something so like what the hell am i listening to well to appease everyone listening in like depending on their music genre of choice you'll have to just switch it every five or three seconds we will please every three seconds ago all of the time you could play it all at the same time yeah yeah that's right we're on discord today hey we're on discord today if you're on discord join us in the webcast live chat and then ryan uh i just got the thumbs up from beau to release his concert that's cool it's in process it's not live yet process all right when can we make it live because it says draft i'm hoping by tomorrow i don't know what are you talking about what what is this concert from the 24 hour i was just holding on to it so now it's going to be official so john hammond's here john strands here the two of you got together last week and talked about the stuff which is cool before the log 4g shenanigans i think it was it's all blue right now it was the thursday before like there was thursday you two hung out and then friday the world caught on fire and then yeah thank you wait did you guys have anything to do with that right it's a good thing that we got to talk before all of it because otherwise it would have completely derailed at least in my mind i don't know about you john strait oh it would have completely derailed the entire conversation because i think we probably would have gone into the code you can see the vulnerability right here and what has this never been caught we would say as if you know we would have found that vulnerability years ago but um yeah open source projects in 2013 right do that in the spare time yeah uh that's that's that's the darkness right like that's infosec nietzsche like if you start going through and auditing all of the open source code that's being used by everyone in the world it quickly becomes a hilarious xkcd comic that predicts the future so and here we are i had a friend of mine who works with developers and on tuesday morning i was like hey have you heard of that log4j thing all right and he's like because he was away all weekend like he was like nope not me what happened uh oh well yeah there's this thing your organization doesn't use java does it he's like oh my god no i'm sorry i'm sorry i didn't ask that question your organization uses java and they should be panicking that's right what i think is interesting whenever an exploit or a vulnerability hits this level of knowledge in not information security but outside of it as soon as anything breaks like you get calls from aunts and uncles and family members they're like do you think it's that log 4j thing that's out there i heard the job is used in a lot of places and my credit card didn't run through yesterday so i think it's that log 4j is not working so it's probably that like dishwasher can you help me secure my minecraft server yes oh my god you haven't gotten those questions have you i'm sure absolutely was patched vmware yeah we've got our priority stream it's like what should we patch patch the minecraft servers dear god yeah yeah that'll be the end can you hack my girlfriend's facebook account and can you patch my mind vulnerability i haven't gotten those questions in a while where people are like i think my i think my wife is cheating on me and then they have this whole write-up on how his wife's horrible and then can you help me one time at bhis though we got this envelope and i i have it around somewhere and it had four checks of six thousand dollars each okay and it had this long letter where this lady was talking about you know her hus ex-husband was having people that were breaking into her stuff and if you could come in and prove it she would write these she would we could cash these checks like wait was insane it was like five hand-written sheets that were like on a notepad from like a best western or something and uh that that was probably the craziest request i ever got good gig though paid well no i didn't we have a gig coming up john that's going to top that oh my god no hit the bar and we are going to raise it yeah oh uh it's definitely ethically questionable but i think we've got the high ground we'll see what about the request sometimes like hey can you find dirt on our executives uh on the dark web or something we've done that no not where an executive was like you guys could do whatever you want i got nothing to hide and by the end of the test i created a manila envelope filled with all the crap that he absolutely had to hide and then he sent us a manila envelope full of hundreds all these stories pen test report and we're not going to release it um no he actually threatened to not pay me um he was very very very um sounds like he didn't understand the situation what we have here is a failure to communicate like if you're that into bdsm you probably shouldn't use your real name on your websites oh my gosh you know i had no idea that this is where we'd go appreciate who yeah that doesn't happen very often i want to make that clear if you're just joining our webcast this is not what bhis does normally just straight down the fairway pen testing paid for it permission i could just see it administrators being like i want to hire this company to find dirt on my executive is this not reminiscent of the bastard operator from hell which i saw that you have the books on your little video game thing i do i actually uh one of my uh what somebody i don't i wish that people would put in a card on who sends this stuff to me um i just got like six pounds of haitian coffee i should really double check and make sure that this guy um but it's upstairs it's like from haiti i'm like i don't know who this is from but yeah somebody sent me the original uh copies of the bastard operator from hell books um and whoever that is i thank you that's pretty awesome pretty awesome if you haven't read it look it up it will make you howl it's unique okay uh kyle's gonna do the webcast today the rest of us will help with questions these awkward silences because you remember during the 24 banter 24 hour banter con it was like i think our record was six or seven seconds it was pretty it was pretty amazing and we all took a nap during that was great you took naps who took naps no i laid on the couch and listened to it while it was going on yeah i don't know if you're here josh i met a guy named josh in the grocery store this weekend who recognized uh my t-shirt and then he recognized me and then he had watched a lot of the 24-hour appreciate banter conathon and as he brought it up i just started having a lot of ptsd while we were having that conversation but um it was good to see you and if you're here josh it was it was very nice to meet you you know what's the difference between the grocery store and right now jason he could see your t-shirt that's deep maybe two so john hammond we we invited you here today uh because you're doing a lot of great stuff in the community and if there is absolutely anybody that is currently listening that has no idea who you are we wanted to make sure that we brought attention to who you are what you're doing what you're creating in fact have you had any sleep since friday because at some point you released like a try to hack me box built for log voge i think that's how we're saying log for cheesy yeah butchering it doing creativity john have you slept at all i mean like just the amount of content that you put out between friday and now is just astounding yeah no well thank you i mean i appreciate you kind of letting me come and hang out and as you mentioned hey just get a little extra spotlight on kind of the stuff that i'm up to log4j has been kind of crazy as you all obviously know uh and i'm trying to you know be out in the front uh be out trying to educate and spread some awareness get some messaging out about it so the content that has came with it yes uh i showed in a video walk through like look this is how it can affect even something as silly as minecraft right um and there was a practical like hands-on lab environment that i built out um that was the try to hack me box and lab um it was like hey let's let's beat this thing up against apache solar and understand what you can do for mitigations or for detection or for patches but understanding and knowing what the bypasses are stuff like that so i guess sorry i've been rambling but to answer your question i have gotten some sleep it might be five hours three four or or less but yeah i'm uh still running and cruising so we're having fun yeah see that's the difference between red and blue on this like on the red side i think most of the pen testers here are like this is gonna be the gift that keeps on giving like we're gonna find this in custom apps for the next five years we're like walking around high-fiving have an eggnog we're like this is a great holiday season isn't it it's just we're weird like that right it's definitely not kind of different aspects i think it's funny too because it's one of those ones where like right now i'm like you know what i'm gonna wait for everyone to like calm down about it like have their chance before i start you know rolling them out because every time i do it they're gonna assume it's real right because they have no idea they're like still trying to figure it out but to john's point 2022 i mean like you know we're probably going to be using this one a lot so well and i i think we're going to be finding it in the non-standard applications like like i said there's like those there's github repositories that has 100 vendors that have their notification on it and that's cool but where we're excited is this going to be like shell shocked you know we're not going to be exploiting this in apache or maybe vmware who knows um but it's the custom stuff the custom stuff is going to be the true gift this is when we're going to send the right message in a chat and get shell on some edr vendors like thing way back in the back end that was way past the scope here this was interesting then you find out you've just hacked like the siemens security operation center and it's like you know thousand customers as part of an msp you're like yeah and the only reason they didn't know is because they didn't think somebody would send this message that's typically not publicly exposed right some platform ends up talking you know well this isn't this isn't on our website so we're secure good and to confirm this is not the john hammond that started jurassic park just in case anyone yeah yeah he does know unix different person and just his next concert because i know he's also like walter payton and michael jackson he's also ed sheeran so don don't worry like seriously this is the level of crap they give me because i have a super male model named john strand yes well this is hilarious when i was trying to build the thumbnail for the video that we were putting together i was like hey let me google john strand images so i can go ahead and grab something dude's like shirtless in his underwear i'm like uh this isn't this isn't the john strand i know [Laughter] here's my question i wonder do we give him more publicity or him himself give us publicity i'm not sure right at this point we're giving him way more publicity his modeling career is over he was arrested for january 6. he was actually fired from his agency abs are a great thing but john strand's brains [Laughter] [Laughter] that wasn't that wasn't where we wanted to go um so john do you have any plans on like upcoming future like i i know for like doing webcasts and things there's always things you want to do that are like the white whale of a webcast and for us it was attack tactics where we went through and did a hack beginning to end all the way to domain administrator we finally made that happen it was super cool so for you and like your youtube channel what is like the white whale webcast that you want to do or the recording on youtube that you want to do that is just like this is a lot of work but it's but it's something that you've always wanted to do oh dude this is a can of worms and a ginormous question i got to admit uh so like i'm always bumbling around different ideas stuff that i want to be able to get out uh ultimately i'd like to like have something for everyone for anything they might be interested in which is super hard like cool let's talk about sis admin stuff and like linux and windows let's talk about malware development and golang or rust or like whoa let's get into some of the crazy spooky scary dark web tour onions shenanigans and mauro analysis it's still pen testing active directory blah blah blah there is way too much that i want to be able to put out and that is the giant boulder that i try to roll up the hill uh one thing that i'm really kicking around is i had put together a showcase at a trade show like at a live event and conference that was a hackable kiosk like a computer you might find in a coffee shop or a library or something and i wanted to get folks in front of it and try to have them break out of it so it's super accessible right you don't need to loan any programming or coding or scripting you don't need to be elite hacker just need to kind of press buttons on the keyboard and figure it out and be persistent about seeing what you can access and then get from a web browser in a lockdown sandbox environment to pop open a command prompt and a shell uh i ended up being able to put that together like within windows 11 in their windows kiosk mode or like they're assigned access uh and i was pretty pleased with it and i really want to get a video on that super soon but showcasing windows 11 showcasing some of the you know stuff that everyone gets their hands dirty with on a day-to-day basis that's what i'm excited about long answer sorry no no that's actually perfect um it's actually perfect because like i said one of the things that's nice is we have lots and lots and lots of like interns and flying monkeys to set things up the thing i want to do and we're hopefully going to work with meta ctf on this is you have a lot of these cyber range competitions and they're really cool but trying to watch them is like watching paint dry it's like watching the scoreboard so i really want to do something that's live interactive where you see scores people do the challenges and have some you know go through and walk through the tool and technique that's being used to try to make it exciting for watching these things but i think that's going to be really hard because i think a lot of computers and hacking is inherently boring as hell yeah googling for eight hours just banging your head against the wall yeah exactly going through github pages of all the code that they have looking for vulnerabilities and tabs yeah so many tabs uh i've been trying to record uh going through the holiday hack challenge like live and raw like cold feet just kind of experimenting with it and it's two hours of me just like drooling over the computer screen like no one's going to watch this trash i'm going to tell you right now like ed scottis josh wright counter hack team they they come straight legit um and i'm going to give everyone a couple of tips uh for counter for counter hacks holiday hack challenge um actually the first tip is the single most important whenever you're looking up a vulnerability or a problem don't just go to google one's page like of results a lot of the higher challenges you have to go to page two three or four to find a specific tool that will help you solve that challenge but almost every one of the challenges are straight up google if you know the different strings and the applications to do searches on but they go out of their way to find weird obscure vulnerabilities and things and they're they're masters at it but no they they come up with some really in-depth challenges for sure uh i'm in this year's uh the holiday hack challenge at some point i think i'm in a bathroom which is odd classic yeah i heard you're giving a talk like you're presenting a demo in the bathroom i don't know so over the last year over the last six years i'm always hidden in the holiday hack challenge i was like a plant a hay bale you know other things and apparently this year i think i'm in the bathroom i haven't found myself yet are you like the sink the toilet paper are you the toilet like what what are you i don't know if anyone's found jason in the holiday hack challenge let me know where i'm at because [Music] i might just i might join on this just to find you like that's my challenge right like that is the whole thing right that's the solution well the first time i was playing i was in the whatever and i found a plant and it says hi i'm jason and i responded with i am also jason and it took me a while to find out that it was me and who told you you're in the bathroom uh it was on twitter i think that's posted a screenshot of me in the bathroom or something i don't know i actually recall seeing that as well i gotta go find that i'm definitely gonna find that oh we just did because that's that's weird right like i'm not the only one that's like that's weird oh it makes sense right everybody everybody that's a good point jason everyone goes to the bathroom yeah all right that's another webcast the webcast will be in four minutes uh we got kyle here kyle will probably give you back control of the screen to make sure that you actually have control of the screen so i'm gonna make you presenter and then when your presentation begins the rest of us will go away turn off our cameras and then it would just be kyle all alone with all of you and that's fine kyle's okay with that kyle knows what he's doing um not his first rodeo yes you got this kyle i believe in you can you guys see that see the one you guys see the title slide right now we lost your video and audio and slides yeah he's gone don't listen dan we're gonna put him in the bathroom later here so is this is this rorschach test pass fail or but jason in honor of you in in in the holiday hack in the bathroom one of these times we got to get you streaming from the bathroom in honor of ed scotus or something like that um now we can get you streaming from ed's bathroom like we can make happen that would be better right yeah i don't see jason one of the first times well the first time i ever went to ed's house and i was in his office the bathroom's right there in the office but i had to i had to go number two and so i knew he was only like eight feet away and uh yeah ed and i are close enough that wouldn't have been a problem if you've been with us at all in 2021 thank you so much if today's your first day then please come back this is not always like this but it is always like this gets better pre-show banter con it seems like it no no no if you're in baltimore we are having a get-together tomorrow december 17th if you're watching the recording then it already happened but if you can join us on december 17th at 3 p.m we're meeting up at heavy seas brewery and if you're on discord right now let us know which city you would like us to come to next uh because we're gonna start traveling in 2022 and going to your city and bringing you all together because there's a lot of people in your town that also come to black hills webcast or get prompt the zine or order something from the spearfish general store and so we're doing what we can to bring you all together so you can meet each other and once you meet each other then you can all be friends this is also jason's way to travel the world jason and deb are going to be like you know what's weird we got a ton of people in hawaii wow hawaii is huge dude remember there's a besides cayman island that we were like why don't we go yeah yeah that's that's a big one too yeah that's cool that's a good one okay following there thank you john hammond thanks for joining us it's time for us to get started if you haven't followed john hammond on youtube yet most likely but if you haven't please go do that john strand thanks for joining us thanks for giving us this uh you know creating black hills in the first place that we can do all these things we appreciate you 20 21 have a great day thank you kill your cameras carry your microphones except for me and kyle it would just be me and you kyle me and you hey so real quick jason i saw somebody say my mic sounded muffled do i sound okay to you do i need to do anything ah does he sound muffled ryan pop in real quick they'll go ahead and kill your camera oh which microphone are you using uh it's a blue yeti all right and is the blue facing us uh it's facing me i guess i don't know how to ryan how do you think uh i think that sounds a little scratchy like maybe it's uh overdriven or something do you have a gain button on the back uh i do on the front actually turn it down keep it down is it too loud yeah turn the input down a little bit all right is that better maybe but just better is it all right i mean yeah if we're good i'm good i just wanted to make sure it was all right i think it'll work all right all right everybody welcome to the last black hills information security webcast for 2021 we have kyle avery with us today he's going to talk about modern c2 and data exfiltration which i'm sure no one is concerned about in the entire world uh but kyle's going to talk about from red team's point of view and so kyle it's all yours to everyone who is here right now if you have any questions you can always ask and go to webinar but if you want your question to be answered quicker ask it in discord if you want to join us on discord we have to link inside of the go to webinar we also have the slides too i got a lot of spit right now we also have the slides too so you can find the handouts in there you can go ahead and down the slides and follow along with kyle kyle it's all yours if you have any issues i'll pop back in but other than that take it away all right so like jason said i have the discord open here so if you guys ask questions there i will see it um but otherwise oh they want me to mess with my gain ryan is that better maybe i turn it down it's pretty much at the bottom now not sure if you can still hear me or okay yeah all right cool so yeah like jason said i've got the discord open but if you ask questions in go to webinar or there there are other people to answer them so otherwise we can get started today i'm going to talk about modern c2 and data exfiltration so my name is kyle avery i'm a pen tester and a red tamer at black hills i'm also an instructor with wild west hackingfest i'll touch on that at the end i linked my twitter and github there so feel free to follow those if you like as for our agenda for today i'm going to first just go over some background information um and then we're going to move into some different methods of getting traffic from malware implants to a place that you know we as operators can interact with them and that'll make a bit more sense as we go on if it's unclear but these are kind of the different topics that we're going to touch on so with that i will jump into our background so i stole this sort of graphic here from active countermeasures if you're familiar with them that's one of john's other companies but this is sort of a way to demonstrate what command and control or c2 is so a commanding control is really just this sort of general term that refers to an interaction between three different things so there is an operator which could be a pen tester a red teamer or even a real attacker and there is a command control server and then at the bottom there is a malware implant running in some company network or you know on a victim computer and the way that this whole interaction typically works is the implant there at the bottom has a preset weight interval and it will wait for that number of seconds or minutes or whatever it is and once the weight is complete it will connect to the command and control server and it can do that through a variety of protocols typically we're going to use something like https but it could also be just http it could be dns it could just be you know raw tcp or udp it could be icmp right and there's lots of ways that you can get traffic from a computer to another across the internet and what it's going to call out to do is to ask if there are any new instructions and the way that the command control server gets instructions is from the operator so the operator there on the left they will instruct the command control server to cue up a new instruction that instruction could be to persist on the host it could be to execute some dynamic code it could be to copy it information out of the environment right to copy files or exfiltrate them off of the computer and so the next time that that implant calls out if there's a new instruction there it will execute it locally and then the next time it calls out it will include the results or the data retrieved from that instruction and so this whole process is is what i'm referring to when i say command and control now that being said there are there's another piece here that we can talk about which is a redirector and so the reason that a redirector is important and we'll kind of go over what that is here but the reason you might want a redirector is because as you can imagine maybe from a defensive perspective if an administrator or a blue team or whatever it may be identifies the ip address or the host name of that command and control server and blocks it now all of your implants are essentially useless they can no longer call out and get new instructions they can't send new data and so the operator has to essentially start all over because all of their implants no longer function and so a way to sort of make this an easier process is with this idea of a redirector so i have this graphic here at the bottom and you can see on the left there's the victim computer that has the malware running on it and instead of calling directly to a c2 malware server it will connect to this intermediate device and this is a redirector and so it will call out to the redirector and the redirector typically has some kind of logic to determine whether or not it should forward it on to the real c2 server or it should just forward it on to you know some other domain or something else and so in this case you know the malware might be configured with a certain let's say it's using https the malware might be configured with a certain http header and the c2 server exceeded the redirector server will determine whether or not that header has been included and if it has it will forward it to the real c2 server and if it has not it will forward it to in this case login.microsoftonline.com but really it could be any you know normal site or back to the company side or whatever you'd like this to happen here and the nice thing about these redirectors is that they are stateless all they do is they take in data and they forward it to the backend c2 server and so losing a redirector doesn't necessarily mean that your implants are useless so typically what you can do is configure multiple redirectors so you could have a list of them on different platforms and you know some of the platforms that we're going to talk about um and once the once one of those domains is burned the callbacks that are destined for that redirector will not work but once it reaches the next uh redirector in the list then it will function and so in something like cobalt strike you can set this up to sort of round robin through them so it'll alternate through all of the other domains you could also configure it to try the first domain for an hour and then the second domain for an hour or most c2 frameworks have at least some kind of options i'm going to talk mostly about football strike because that's what i tend to use but pretty much most of the things we're going to talk about apply to just about any of them so as you can see the redirector here sort of saves us the pain of rebuilding an entire c2 server and building new malware implants all that all that we have to do now is make sure that there is a list of domains that the implant can call out to so that if one or multiple get burned it still has other ways to get out so let's talk a little bit more about these redirectors and sort of the other values so i already mentioned their state list there's no session data happening here but the other thing that's nice about using a redirector is that they are less likely to buy to be identified as mo as malicious so if you stand up a cobalt strike server for example and you perform a port scan of it you're going to see whatever ports are associated with the listeners and you're also going to see port 550 which is the management interface and so finding port 550 and performing you know just a typical service scan you're going to quickly identify that that's cobalt strike even if you block that off um if you have the cobalt strike https listener running and you scan for say the jaw3 ssh hash um you can identify this server as being the the sort of java backend for cobalt strike and there are lots of online projects that that just sort of scour the internet for the for the jaw 3 hash associated with cobalt strike server responses so if you connect to a cobalt strike listener with an invalid request it's going to have a response that is not necessarily unique to cobalt strike but could be used to fingerprint it and so when you put a redirector in front of your c2 server now you can sort of change all of these attributes if i put a if i put a rig director in front of it that's nginx for example which is the first one we're going to talk about all of the sort of scanning of the server and all of the associated hashes and responses and things are going to be those of nginx which is a very typical web server that a lot of websites on the internet use so i've said a couple times we're going to talk about a bunch of different redirectors but there are four sort of attributes that i think make a good redirector that we're going to use to evaluate each of these options so the first and this is probably the easiest to meet is we want a redirector that resides in a country that our target company or business or whatever it may be operates in and so if we have a company that we're testing that does business in the united states and doesn't do business in south america for example we don't want to put a redirector in south america because that ip could potentially stand out or it could be blocked uh pretty much any like it shop that i've worked out prior to black hills they had geo blocking on their external firewalls that would block blocks of ips based on what countries that they were from and also ips that they received from threat intel and things like that and so you want to make sure that the ip address that you're using resides in a place that that would seem reasonable for someone inside the company to be connecting to the next thing you want is some kind of transport layer encryption so typically this is going to be tls for https traffic and this ensures two things first of all it makes sure that the malware traffic is harder to inspect because it's encrypted and so requires one extra step for anyone monitoring the traffic to inspect it and potentially identify it as malicious the other thing that this does though is it also just sort of protects the data that we're taking out of the network right so we're interacting with a client or a customer from some business and we don't want their information or files or data about their company being exposed to anyone who wants to act or who might be you know listening for that traffic that wants to access it and even real attackers right and they don't want the data that they've worked to exfiltrate being exposed to anyone else um so there are lots of reasons to encrypt this outbound traffic whenever possible the third thing here is we want to have a valid ssl certificate so i mentioned before typically we're going to be using tls with https and in that case we want a certificate that is valid we could use a self-signed certificate and it would be encrypted but self-signed certificates are inherently more suspicious because they're less common for you know internet residing websites and self-signed certificates that are generated by something like cobalt strike or your c2 framework could already be signature in some way and so we want to make sure that our our ssl certificate lines up with sort of what typical websites that have ssl certificates look like and the final thing and i bolded this because it's probably the most difficult to achieve and it's the one where most of our redirector options are going to fail is we want an inconspicuous domain name and so what i mean by this is when we're choosing a domain i could go and buy kyle's malware.com and kyle's malware.com is a fine domain except that it would stand out very obviously to anyone looking at the domains that are being connected to from their network and so first of all it has the word malware in it which is already bad but even if it didn't it's going to a have been registered very recently which is a a suspicious behavior in and of itself and on top of that it will almost certainly not be categorized at least not right away as a site that that a typical user would visit and so when i say categorize what i mean by that is a lot of businesses have some kind of web proxy running or at least a firewall that can inspect requests like this and what it will do is it will actually look at the at the domain name that's being connected to and it will compare that to an open source or a paid you know threat intel type list of domains and what categories they fall into and so a domain could be you know medical or financial or business or it could be malware or could be you know gambling or or adult sites right and so companies will typically block things that they don't think their employees should be accessing most companies block hacking and gambling and adult sites but some even block things like social media depending on what their sort of policies are and so if we just register a brand new domain name it's going to get categorized either as new which is typically suspicious or it could if if the categorization provider is able to recognize that domain as malicious they they might even mark it as a hacking related site and so the domain name we use is often one of the easiest ways for an encrypted https listener or set of redirectors to get caught because it might not even work right off the bat they might already have automated systems in place that prevent us from using that domain at all so let's jump into some of these redirectors yeah what's up hey spin your microphone around real quick put on this so i saw that i'm i'm i'm pretty positive this is the right direction from like when i set it up but we can try it like it definitely looks very wrong when i do it this way all right then we'll flip back and i had a quick question here does redirect redirect or equal reverse proxy or is that something different so i'm actually like just about to cover this but basically a reverse proxy can be a redirector um are is a more general term than reverse proxy but it doesn't necessarily from not every redirector is a reverse proxy but a reverse proxy can almost always be a redirector if that makes sense yeah i don't know what you did but your microphone sounds a little bit better let's keep going oh i turned it around turn it back it's it's the equivalent of turning it off and back on again um so kind of like i just got brought up with the reverse proxy for a long time uh the the most popular redirectors were reverse proxies or or rather web servers that can act as reverse proxies and i say for many years but that doesn't mean that people don't still use these i still use these lots of people still use them i just don't necessarily think they're always the best option and you'll see why because of some of the benefits that are available from some of these other redirectors but specifically projects like nginx and apache have either built-in or module-based capability that allow them to be a reverse proxy and what i mean by that is that they can essentially receive some kind of request or some kind of traffic and based on some rule set can forward it somewhere else and that is really the the core requirement of you know the strictest definition of a redirector it doesn't necessarily meet our uh our ideal list of things but it does meet the the strictest definition and so you can run one of these on a vps right so an aws vm a digital ocean vm whatever it may be near your your target or in in a region that your target operates in uh which makes them fulfill that first bullet about residing in a reasonable country but you are responsible for getting your own domain name and your own ssl certificate and so this is where these sort of platforms fail or not necessarily fail but are difficult to use because it requires you as the operator or you as the pen test company to have some kind of set of domains that you manage or at least have domains that you submit for categorization and weight so there's all these sort of hiccups that you have to deal with when you use these but let's go over some of these a little bit first of all nginx this is probably probably excuse me the simplest to use because it does not require any additional module and i think the configuration is a little bit more obvious than apache which you'll see next this is a very simple nginx configuration in this case first it's going to try whatever path you connect at it's going to look for those files in the current directory or it's going to look for directories in the current directory that match that path and if that doesn't match up at all it's going to go to the c2 block the c2 block will pass all traffic to the team server ip which you'd have to replace with the ip of your malware command and control server it will also it won't verify ssl certificates of the backend server and it will add these headers to it as well um just to show you kind of some of the options that you can do here now apache is similar uh it does require a module the mod rewrite module to be installed to use this but that's really not a problem it's just one extra step um and so i've rode a rule here and you can see the rules here are a little bit less intuitive i think but you can do approximately the same thing so there's really no difference in terms of you know what what is better what is worse so in this case though i have some conditionals so you can see lines two and three there the first one line two um if if the request does not match either the purple or green paths that i included there so first of all there's the purple path so some slash pass here.php or the green different slash pass slasher.php if the request doesn't match one of those it will fail and go to that last rewrite rule google.com if it does match that it's going to check the second rule which looks for that blue user agent in the um request as well and so you would configure this to match up with your c2 network profile so in cobblestrike that's a malleable c2 profile other frameworks have different names for it but whatever you configure your malware to use or your implant to use as a uri and a user agent you match those up here and now when when that apache web server receives the packet it will inspect it for these attributes and if they match it will forward it to team server ip if it doesn't it will forward it to google.com um and so as you can see pretty simple it's not you know a ton of setup required for these but again you do need a domain name still and an ssl certificate that you set up yourself and i'm going to have a demo i think in a few slides where i show you setting up an ssl certificate yourself for something else so that part is really not that hard there are some caveats that come with making your own versus using one that's provided to you and i'll go over that as well so once we get past this idea of traditional redirectors the next sort of technology that came out was content delivery networks and this is something you might already be familiar with even if you know nothing about redirectors because cdns are very popular for lots of things so really what a cdn is and some examples there's cloudflare is is a very popular cdn but all of the major cloud providers also have these now the cdn though is really just a collection of servers that are meant to sort of speed up the internet and what i mean by that is let's say you're in california in the united states and you're trying to access a web server in new york typically you would connect and it would have to go all the way to new york for each request and then respond back to you every single response and there's one server that every user is communicating with making requests and so if the server is overloaded from all the requests it might be slower what cloudflare does is it has servers all over the united states and and the world and it will cache your website once you sign up it will cache your website at each of these servers so that if i'm in california and i visit your website in new york i'm actually going to be directed to the california cloudflare server and i can interact with that for as long as the information is cached and if there's any reason for me to need new data that server will actually reach out to the new york one itself and get the data instead of you know me having to request from two different ip addresses and so this masks the ip of the original server and sort of frees it up to not have too much load because of the caching and so as you listen to this hopefully you're thinking that this sounds a lot like a c2 redirector as well right if we disable the the caching feature which almost all of them let you do once we disable that feature now it is just a set of servers spread geographically that when you connect forward traffic to the original and then retrieve that the data and they don't expose any information about the backend server the other nice thing and we'll talk about some examples here but the other nice thing is that a lot of these cdn services even give you a free domain or subdomain and some will even give you a already set up ssl certificate and so when you use a cdn for your command and control redirector you save a ton of time and effort required because you're provided all of that data already now before we can talk about some examples i want to touch on this idea of domain fronting domain fronting you may be familiar with is a sort of variation of using a cdn as a redirector and this is a technique that was very popular for some time and i think has mostly fallen off now um there might be people still using it i personally don't but domain fronting in particular is a technique that has been largely mitigated by either the vendors of the cdn platforms or by security products and the way that this works it takes advantage of a i wouldn't even necessarily say a bug but really just a behavior of how content delivery networks work and so what happens here is you make a request to um some site that resides on a cdn so let's say google.com and this is not true but let's say google.com is on cloudflare as their cdn and when you make a request for your malware well let me back up you set up your kyle's malware.com as a redirector in cloudflare as well and so now you have cloudflare running kyle's malware and it's also running google.com there is a potential that you could configure your implant to connect to google.com in an encrypted session but when the the cloudflare redirector decrypts that https traffic it will see the http host header as kyle's malware.com and so the company that is analyzing the traffic unless they decrypt it will only see google.com but when the traffic arrives at the cdn endpoint it will forward it to the correct post header of kyle's malware.com and so when this first came out this was a very popular technique because it was able to totally bypass a lot of controls and almost all of the major cdns allowed you to do this but since then a lot of the cdns have either fixed this or have started to really monitor this type of behavior very closely so i believe azure is one that you can still do this on technically but excuse me as soon as they detect you doing this they will shut down your subscription or your account and will totally burn your redirector basically and so domain fronting is one of those things that was very effective but i don't think is probably a great idea anymore but i wanted to touch on it here because it's so closely related to cdns now let's talk about some examples of content delivery networks that are in my opinion a a viable c2 rewriter option the first one here is azure so the azure cdn is really great for two reasons first of all you get a free domain um any name you want dot azureedge.net so if i'm targeting you know kyle's tool shed i can get kyle's tool shed dot azure edge.net as long as that isn't taken and so now it's a domain that looks like something that the administrators might expect to see it might even match maybe we can match it to a vendor or some product that we think that they might use right remember we have a lot of options here since we can specify any name and there is already an ssl certificate provided with this from microsoft so when you look at the traffic and you inspect that certificate it's going to look very legitimate because it is and the domain name is not going to look malicious as long as you choose a name that seems reasonable or doesn't look malicious to the client the configuration for this is pretty straightforward they have a whole gui that you can use um it's just kind of a next next next you plug in your domain you give them your dns information now the one major downside of this that makes it really not a super viable option these days is that microsoft has gotten very good at shutting this down so i've had this happen i know lots of other people who have experienced the same thing where they have an azure cdn redirector and halfway through their engagement microsoft notices and kills their entire subscription and now that resource is gone as well as anything else you had on that subscription potentially and so this is an option maybe if you have a very short op running or if you think you can obfuscate it in a way that that microsoft wouldn't detect it but i tend to stay away from azure cdn these days as well the next cdn here is cloudflare and i already mentioned cloudflare they're probably one of the biggest names in this sort of industry and they will give you a valid ssl certificate but you have to bring your own domain name and so to me this doesn't give you a ton of value over those nginx or apache redirectors especially when you consider that cloudflare is attempting to shut this down as well so microsoft and azure cdn i don't think are good options or see the yeah azure and cloudflare cdns rather i don't think are great options but the next option amazon cloudfront is a pretty viable option so aws is another one that gives you a free domain and it is a subdomain of cloudfront.net but cloudfront.net you don't get to choose the subdomain name you're going to get a random name created and so i actually stole this image on the right from a black hills blog about using aws cloudfront and you can see there the kinds of domains you're going to get it's just an alphanumeric random value on the left there you can see i i just took a screenshot to show you i just sort of emphasize how important that caching disabled option is now amazon cloudfront will also give you an amazon signed ssl certificate the only difference between this and something like the azure cdn is that your backend server has to have a valid ssl certificate for this to work and i'm going to show you um what that looks like in our demo here on the next slide from my experience the aws cdn or or the amazon cloudfront offering has been the most lenient i've never had one get shut down i would expect that if you as a company reached out to amazon and said hey we see this c2 traffic they would probably shut it down but unlike microsoft or cloudflare they're not actively searching for those to stop them so this to me has been a pretty solid option because it gives you the domain name it gives you the ssl certificate the only small problem is you can't choose the domain name yourself so this is my first demo here and we're going to set up a very basic example of the aws cloud front and i'm going to show you me sort of requesting an ssl certificate and how it looks beforehand and afterwards so for this example i have an ec2 instance which is just an aws vm and it's running here at that ip address and when i look up demo.windpostdecks.com which is sort of my not you know safe domain it's pointing to that ip address and if i load demo.winpostx.com it loads the nginx splash page and when i load this cloudfront address that i created it also loads the splash page pause this here a little fast and you can see here on the third tab i try and go to the https site of that cloudfront domain that i created and i get a 502 error and the reason for this is because it and there isn't valid ssl running on the backend engine x server so what i'm going to do here is i'm going to go back to my vm and i'm going to use certbot which is a tool from the eff it's totally free and i'm going to use this to request an ssl certificate and for the domain name i'm actually going to specify the cloud front domain this is something that my co-worker steve discovered recently is that you can pretty much do this for any of these cdn platforms and it will request a certificate so even if they somehow found this back-end certificate it would still match the cloudfront domain and then when i go back to the cloud front page it totally loads correctly and you can see it's verified by amazon not let's encrypt and that's kind of the key there is that the certificate is still being provided for or excuse me being provided for yeah star.cloudfront.net and that still allows it to apply to my domain once i have that valid ssl certificate all right moving on so let's talk about some other cloud services so i mentioned right aws azure and other cloud platforms have cdns like this but this isn't the only service that they offer right many of these cloud platforms have a sort of serverless offering is what they call it and the way that this works is you give them the code for your application and they manage the sort of server whether that's nginx or whatever other you know is some web server that they're managing and they're just running your code on it and that's nice because they can sort of turn it off when it's not in use and there's like all these benefits for for developers for using that but from our perspective it's nice because it's essentially just a different way to do the same thing that they may not be looking at this closely and so azure cloudflare and aws all have serverless offerings we're going to specifically talk about azure and cloudflare i haven't looked much at using aws lambda myself i'm sure that that would also work in a similar way but i just haven't tested it so azure and cloudflare will both give you free domain names in this case though and azure will again give you that free microsoft certificate so the first offering from azure is called azure app services and this is a service you give it your code you can select a variety of languages so unlike some of the other options they give you like a huge drop down of any kind of programming language you want to write your in this case redirect your code in and the service can be used totally free so as an attacker right it kind of gets annoying spinning up all these cloud services and paying for all of them the free tier of azure app services is more than sufficient for all of the operations that i've done anyway and at least the ones of those that i've talked to about this and so this is kind of nice because you're not going to pay for really anything to use this service there is a person on twitter at bash explode they wrote this github project cs2 web config that's linked in the slides or you can google it and this is a tool to automate this setup for cobalt strike so it generates all of the code based on your malleable c2 profile so that it will sort of filter based on the paths and things like i talked about in the nginx and apache section but for our demo we're just going to do something really simple once again we're going to have it just redirect to a web page so that you can kind of see how that looks so this is me in the azure portal and you can see i'm on the app services page and i know it's a little tiny um hopefully that's somewhat legible but basically what's happening here is i'm creating a new web app and sort of in the center box i'm going to type whatever name i want in this case c2 demo bhis and that is the domain i'll get i'm going to select.net 5 as the programming language and then on the right here i'm going to choose the free tier instance for this example there's a couple other options that ask me about i just sort of disable all of the logging and things because i don't care about that in this case and finally it's going to start to spin up so the important thing to remember here is that we're going to a get that c2-demo-bhis.azurewebsites.net as opposed to azureedge.net on the cdn we're going to get the microsoft sign certificate and anyone connecting to this endpoint will not know anything about the backend server and so it really does protect if configured in a correct way it protects our backend c2 server and so the next thing that i'm going to do once this finishes loading uh they have a sort of web-based text editor two questions coming from coaching meaning oh yeah sure yeah we're actually like i'm kind of oh what about gcp gcp is not one that's google cloud platform that's not one that i've experimented much with um could be a good option i i really don't know i was just kind of cueing you that when you come to a breaking point is this a good spot i'm kind of waiting for this to deploy anyway so it's not a all right so how can a read director be configured to determine which is malicious traffic and then redirect i'm assuming redirector could be functioning as a defense yeah absolutely so the the sort of conditional rules uh that i touched on a little bit can be extended quite a bit so you could say you know this http user agent has to match it has to have maybe some specific unique header that you add as well that is you know something you come up with that probably wouldn't match anything else you can have it match specific ip address sources so that it only can come from the target environment there's pretty much anything that you can imagine as a as a parameter of the http request that you're receiving you can use as a sort of key that it doesn't match you can forward it somewhere else excellent and here's one that may be an outlier do you have any tips on how to bypass microsoft e3 or e5 for a spear phishing test on a red team um i don't have anything specific off the top of my head yeah as far as fishing goes this is almost exclusively meant for like malware command and control and data exfil so some of these could be used for fishing especially the ones that grant you domain names and things but that's not something that that i really plan to cover in this all right back to you cool so once this deploys you can see here they've got the app service editor and this is just a sort of web-based it's not even an ide it's really just a text editor and once this sort of loads you can see okay i get to this page and i think i need to go to the next demo yeah so once this loads the first thing i'm going to do here is paste in this boilerplate config and i'm going to pause it here and explain what that is so this is the the bare minimum iis configuration necessary to redirect something or excuse me two to write a rule that we're going to use to redirect something so there are these sort of setup tags but the key is is that innermost set of rule tags i'm creating one rule in this case and it's going to be called redirect all traffic and once it hits this it's going to stop processing so it won't look at any other rules but as i'm going to add to this is a sort of action and the action of the type is going to be rewrite and so we're going to say any requests that come in i want to rewrite the url to be demo.winpostx.com and i also don't want to log the rewritten url because again i don't really care about having logs in this case so once this is done now i can go and load the c2demo dot oh actually i take it back there's one extra step this application hosts that xct this is something that i am directly copy and pasting from that cs2 web config it's just a sort of general sort of reverse proxy configuration that you need as well and so this is the same for cover strike or any c2 you use but i'm just pasting that in from their repo directly and i'm moving it up one directory as they instruct in the repository so there's really clear instructions that they have for setting this up start to finish but once i get that all in there i can restart my app services resource and i can browse to c2 c2demobhis.azurewebsites.net and you can see i get my nginx page and if i look at the certificate it's verified by microsoft corporation and this is something again i've had really good luck with these staying online for a very long time this isn't something that is going to get taken down quickly like the cdn does at least right now microsoft may shift their focus to it if it gets more popular or if they you know get to that item on their list but this is not something that you know that right now they're really working on stopping so moving on the next serverless offering that we can talk about is cloudflare workers so cloudflare workers are very similar to azure app services and aws lambda they only support javascript code unlike those options and so you have to write a javascript redirector but that's not really a problem they will give you a a domain but it's a little bit different so in this case you first create a subdomain of workers.dev um so you'll see in my demo the the subdomain is going to be c2demo so i have c2demo.workers.dev and then each javascript that you want to run has to have a subdomain of that so the actual domain that the malware will be pointing to in our case would be testing.c2demo.workers.dev and so a little a little bit more wordy but at the end of the day it's the same result now you do have to request an ssl certificate for the backend server just like you did with the amazon cloudfront offering right of the cloud what actually i take that back in this case cloudflare will in this case you have to request the ssl certificate on the backend server but if you try and specify the workers.dev domain name let's encrypt will fail and so the one downside of this is that there is a potential that the back end domain name could get exposed by investigating the worker and that is not true i don't think of the azure app services offering now you could combine this with something like azure app services right behind it or with a traditional nginx redirector to sort of obfuscate that further so this isn't really a deficiency and i can't say i've ever had someone inspect the ssl certificates uh to find back in domain names i'm not saying it's not possible but this is not something that i'm seeing clients do very often or at all really in my experience so something good to know but not necessarily a deal breaker there is a great blog that i linked in the slides again from alfie champion and it again tells you how to set this up for cobalt strike specifically and you could probably apply that to just about any command control framework you want his blog does not have any kind of rules like the cs2 web config does so it will just forward all traffic as far as i can tell but still it's a setup for cobol strike it'll get you a redirector so let's let's look at this demo on the right here you can see my subdomain is c2workers.dev or cvc2temo.workers.dev and i'm going to set up testing.c2demo.workers.dev oh thank you deb that is exactly the blog um once this has been created i can open quick edit and it's going to have some hello world code i'm going to just clear that out and i'm going to paste in and this is again from alfie's blog just the sort of bare minimum code required to redirect traffic and so that first line that i'm editing is where you put the original url in this case testing.c2demo.workers.dev and the second line there is where you put the new url in this case https demo.winpostx.com and once that's done i'm going to deploy it it's going to post it at the correct url and then if i grab this domain and i go and open it i'm going to get first the hello world because i have to refresh but then i'm going to get this invalid ssl certificate and this is because the backend server does not have an ssl cert and so what i'm going to do here is go back to my terminal and i'm going to use certbot to request a certificate for demo.winpostx.com and so you can see okay i'm going to request it for demo.windpostx it's going to successfully deploy and then if i go back and load this page it will work correctly now let me show you because i mentioned that you can't request for the workers thing so i sort of reset this i got rid of that search actually no it's still there i ignore that but i'm going to go here and request a certificate for testing.c2demo.workers.dev and if you try and do this like we did with the cloudfront domain you can see i get some errors here and there may be a way to fix this i really haven't spent that much time on it but this is definitely an issue how would you be able to find the backend domain name on an azure cdn um that is a good question comcast really there isn't an easy way to do that the the only way that i can think of and there may be others but the only way that i can think of is you would have to sort of try and replicate the c2 traffic so that it matches the rules set up on azure cdn whatever those might be and once those rules have have been set up you might be able to get traffic through to the original and then perform some kind of analysis but you're not going to be able to look at ssl certificates you're not going to be able to do some kind of domain lookup or something and so typically it's pretty difficult to find servers that are behind redirectors not to say that you can't but that is definitely a sort of challenge and that's sort of the purpose of these right is it supposed to at the least make automated discovery really difficult but in a perfect world make even manual discovery really difficult because we don't want the backend c2 server being discovered now that being said if you reach out to microsoft for example and you tell them that this azure cdn looks like malware they might tell you what the back end is or at the very least they might shut it down and so i think that's probably your best course of action depending on how much time and resources you wanted to put into discovering that all right my last topic i want to cover for today is dns over https and this is something that i recently wrote a blog about for black hills and it's something that i and a couple other testers at blackfields have been using and i think it's a really good option so dns over https or doh is sort of the abbreviation i'm going to use there this is a protocol that's been out for some time and i just haven't seen it used much in the offensive space i did a bit of googling and the only instance of actual malware using this that i could find was from 2019 and it was one example that they were using this for but other than that i don't hear much about it so this wasn't something that i really knew how to use for cobalt strike for a long time until this very awesome tool called titan loader came out so tight loader is a tool from a guy named austin hudson he's someone that i absolutely recommend you you follow and look at any tools that he puts out because he's just really smart but what titan loader does well it does a lot of things but what what the titan loader that he put on github does out of the box is it replaces traditional dns queries in cobalt strikes specifically to be dns over https requests now if you investigated this a bit you would see that his code there you could use that in any other c2 framework it's not necessarily specific to cobalt strike but the implementation that he posted will only work with cobalt strike and so because of the the way that the loader is sort of integrated into global strike timeloader itself only works with that c2 framework but again you could sort of repurpose that same code in that repo for another framework if you wanted now dns over https is is great for a few reasons first of all it gives us an existing domain name right not even a subdomain but an existing very valid very well known domain name and a valid ssl certificate and on top of that we don't have to register we don't have to make any accounts we don't have to tell the dns overhp server anything about us it's just going to go there and so there is basically no way for them as a provider to shut this down the only way that i see this being easily blocked is at the company level so if the company you're testing decides okay we don't use google's dns over https for example we're just going to block it that is definitely an option because that is the only thing that domain does if you don't need 443 to 8.8.8.8 you can block it and then this no longer will work that being said a lot of browsers use this by default so if you have google chrome it is probably using dns over https if you have firefox it's probably using dns over https even if you don't know because that is the default configuration in those browsers um as far as i know and so you you your company are probably allowing it and probably in a position where blocking it might break a lot of functionality not something you can't fix but it's also not necessarily an easy fix for everyone to do and so the the only real downside because from my testing i haven't found any companies that block this yet it's been limited but you know so far at the small sample i've tested this and it hasn't been an issue the the biggest downside here is the number of traffic excuse me the number of packets required to do the same thing so a dns a request even when wrapped in https is still a dns request and even a text record lookup has a very limited body of space that you can put information in and so to to conduct the same operations between um dns and https you're gonna need a lot more packets of dns typically to get the same information out or you know the same data out and so dns over https is not a channel you're going to be transferring gigabytes of files over because that just doesn't make sense it's it's it's too much data for this but it's definitely a good backup um it's definitely a good channel for just general operations right if you're just executing commands and and you know persisting and things this is a great channel for that and it's just so different from your traditional https that maybe it's less likely to get caught or less likely to be associated with your other redirector code now um the default time loader that got linked from austin it will beacon to dns.google and i have a screenshot there at the bottom left you can see that's where he specifies it and that is going to be 8.8.8.8 or 8.8. 8.4.4 depending on what resolves um but austin's implementation is generic enough to really support any dns over https server that i tested so i have four type loader and in the main branch there you can see on the right that and that's a screenshot from my fork where i hardcoded in a list of dns over https servers and in in this case i have dns.google dns.quad9 the mozilla cloudflare the normal cloudflare the cisco opendns and the hurricane electric or dns and what my fork will do is just randomly select one of those each callback so that it's sort of different but you could specify just one there and have it be a different one or you could specify a smaller or larger list i believe in there i have a comment with a link to a page with just dozens of those servers and so you could select any of those to use depending on what you think would be most likely to get out because of the company if they know about dns over https they might be blocking dns.google they might be blocking cloud 13s but they may not be blocking hurricane electric or they may not be blocking cisco opendns because maybe they're just less familiar with it or you know it's not something that they considered when they were setting up those blocks and so the problem with the solution of just blocking every dns over https server is there are lots of them and new ones come out all the time that you could use and so it has a potential getting blocked but like i said i've been able to use just dns.google pretty successfully and and even that doesn't seem to be blocked very often and you can use all these other servers so you have lots of options there so let's jump in i want to give you a quick demo of using titan loader someone asked me about xero tier and this is one of those like sort of vpn based networking things i believe i have not experimented too much with those uh marcelo bike leader who used to work at black hills he had a blog very recently of using not zero tier i don't think but something similar where he set up this sort of c2 you know a configuration using that i think that you're still going to run into the limitation of domain names and ssl certificates it just sort of makes spinning up lots of redirectors easier so i think that's something that you could use in conjunction with some of these techniques but i can't really say so this is going to be my demo for tight loader so you can see i've got the the titan loader repo of the official one here that we're going to use and i'm just going to go ahead and hit not play it's not playing okay there it goes weird um so you can see there's no readme here which is a bit intimidating but it's really not hard to use so all you have to do is go ahead and clone that repository so you download all the files and you cd into this repo and we're going to run make which will build the necessary files and if you're missing some command that the makefile requires it will just tell you it's missing the command and then you can install it and try again i think it requires mingw and nasm and there's maybe a pip module you need for python but once this is done you'll get some files here there are exe files and bin files and o files the o files and the exes do do not matter the only output that you need is the dot bin um there's an x64 and an x86 and there's also an aggressor script cna so the aggressor script is what you're going to import into cobalt strike and it will use those bin files so the exes are not relevant i've had some questions on twitter uh about this where people ask me hey i ran the xe and it doesn't do anything the xz is not meant to be a standalone executable that is just sort of an intermediate so we build those files i'm going to show you here my dns server https excuse me my my typical dns cobalt track listener is here and you can see i'm pointing to dns.winpostx.com there's really nothing special i created this just like normal though and then once i save this all i have to do is import the titan.cna script and once that's imported any beacons or shell code or exes or any payload that i generate from cobalt strike will use dns over https instead of dns so it's really that simple now i export in this case just an exe to keep it simple um i'm going to leave that open there and i'm going to open up wireshark i have some filters here that just sort of clarify the output but um you'll kind of see what this looks like here in a second i'm going to run my on my beacon and i'll just pause this you can see all of the the outbound traffic is destined for 8.8.4.4 and it's all going to port 443 and it's tls encrypted and so the end result of this is now you're using a dns beacon just like you would normally there's not really any difference in your workflow if you've used those before but all of the traffic is going to be encrypted and going to in this case 8.8.4.4 instead of going to whatever dns server the host has so quick recap before we end and i kind of color coded this and this is just my opinion obviously the color codes aren't an objective thing but the the i think best options are going to be azure app services and that's because that includes a subdomain and a certificate and it's unlikely to get shut down at the moment and then dns over https which is slower but you get the free domain and you get the free certificate so i think it's also a good option if you need additional redirectors or if those won't work for some reason i think the aws cdn and cloudflare workers are probably your two next best options both of these will give you a subdomain and they're both unlikely to get shut down so they're both pretty decent options after that i would say the traditional reverse proxy something like nginx or apache is the next best thing it does require you to get the domain name it does require you to get an ssl certificate but it's almost certainly not going to go down so that's a good feature there at the bottom i have azure cdn and cloudflare cdn i i really prefer not to use these if i can because it's almost certain that they're going to get shut down during the operation and in the cloudflare case i have to also get a domain name which sort of defeats the purpose anyway so with that um that's pretty much all i have uh a quick i guess you know blurb about my class and then we'll go to questions at the end of january i'm teaching the next round of windows post exploitation i think it's been linked in the chat already but it's going to go over enumeration persistence privilege escalation and lateral movement basically everything once you get your initial access to an environment how do you go from there to your objectives we're going to go over different tools we're going to use open source tools we're going to write some tools and you can see i've got the link there um to win postx.com we'll redirect to the anti-siphon page so with that uh cj are there any questions or yeah i think there might have been some confusing when you're saying best you're talking from the attacker perspective yes i'm sorry all of the things that i'm talking about are definitely from the offensive perspective so when i'm saying green like that means the most difficult to catch or the most unlikely to stop working during your operation whereas red will be the the least likely to work for a long time and will require the most work and so they they want to know what's best defenses and they talk about who are the vendors innovating in that space i think from the defense perspective you pick those ones in red yeah i would say microsoft is probably one of the better ones i mean obviously the azure app services still works but the the azure cdn is definitely um pretty pretty hard to use and cloudflare as well their their cdn is definitely hard to use and it doesn't give you a domain anyway so you got something chase uh i'm looking uh mainly like kyle i asked you one time do you have stories from your class and you're like no i just teach um so when it comes to like the class that you have right here is a lot like what we just covered and like interacting with discord yeah yeah so so my class is basically a a mix of a lot of just sort of information dump and then we do labs so the information dump i mean as you've probably noticed i put a lot of information on the slides and i like that so that later you don't necessarily have to re-watch me say it all you can just look at the slides and have everything you need and so i try and go over as much information as i can possibly tell you in the time we have possible and then once we've gone over some different topics as kind of a break we jump into a a lab and i'm just going to kind of share my screen and go over it and we're gonna you know write some tools we're gonna use some tools and it's it's definitely interactive i set up a whole kind of active directory environment uh in aws and i have c2 for everyone to use and so there's lots of opportunities to try things and ask me questions and you know just have have a good time i i have a personal question from so how often do you does your c2 get caught and when it does get caught like what does that do to the rest of your test sure so i would say from a network perspective it really depends on the customer right if you use things like azure app services and dns over https the c2 is not going to get caught by by vendors at least not currently they aren't really looking at the even cloudflare workers and aws cdn your things aren't going to get shut down so the only chance for them to get shut down is by the client and that really depends on you know a the type of engagement that we're doing if it's a covert operation it's it's definitely more likely because in an overt operation they're not trying to shut down our domains typically and then just kind of the maturity of their program right if they have a team of people that are looking for those kind of things then yeah i mean they're typically pretty good at noticing of abnormal domains especially ones that many hosts are calling out to at some interval um from from active counter measures right they've got the ac hunter product which is specifically made for catching any of these things because its whole purpose is to look at the sort of frequency of traffic not not the the domains and the ssl certificates and all of those things and that's where you have to be a lot more creative is when the environments are looking for that kind of behavior as opposed to just looking for domains um so see i'd say it really depends so is edr effective sometimes never often so edr isn't really a factor for this portion right you still have to get malware running which is where you and like the operations that your malware is taking is what malware is looking for but the beaconing itself i don't think there's many endpoint products that are necessarily trying to stop that i mean i'm sure they have some signatures for it like if you maybe have unencrypted traffic that's known they may stop it but if you're taking any kind of precautions i don't think that the endpoint measures are going to be where they're getting you what else talked about the defenses someone asked about the doh i missed the acronym h yeah yeah so so doh is dns over https and i think somebody already linked my blog post about it which doesn't give you a ton of background on the protocol but at least gets you up and running with using it as an attacker and i mean it's a pretty well documented protocol so if you're just curious about how it works you can definitely google for the the you know rfc about it or any other kind of pages about it what else kyle what are you planning to do for christmas uh my parents are in town actually so i'm i'm probably gonna go see them later today awesome well we're coming up to the end of the hour so if you have any questions feel free to ask them we might stick around for a few minutes of extra but if not thank you so much for joining us for today's black hills information security webcast with kyle every about modern c2 and d exfiltration if you ever need a red team threat hunt and if you're considering to you know get a sock or change your sock in 2022 you can always contact us about that we have what's called an active sock what that means is we are active we're not passive anything final thoughts kyle no yeah thank you guys all for coming all right all right everybody uh cj do you have any questions that you want to ask as we if we go in after and wrap it up and we'll go to post-show panther all right everybody thank you so much for joining us here in 2021 if you joined us before today thank you so much for coming back today was your first time we do this all the time we'll see you in january of 2022 and with that that is finished we are now what's called post-show banter where we just stick around for a few minutes and go hey kyle great job uh you're microphoned better throughout um but uh i don't know how i don't know what it was yeah um there was definitely someone on the team that for almost a year we just couldn't figure out what it was and it was finally like what do you see when you look at your mic and we could tell that it was backwards and so all of a sudden they flipped it around i was like that was it was it but i don't think that was the problem that you were having yeah my microphone like i mean i can't show it to you but if i flip it around it it definitely looks wrong like it's not the right it's not the right direction um it might be a little bit that you're standing up and you're a couple feet away from it instead of right and directly because it's picking up the top instead of yeah help it a little bit better maybe i don't know and deb the deb confessed that it was her that is correct it was deb any experience with f-secure mwr labs c3 um so i have played with c3 that's a sort of next so if i was going to add more slides to this that would be the kind of thing i would cover so c3 is basically a collection of other protocols that you can conduct command and control over so they have i believe slack is one or um i'm sort of blanking ldap and there are all these like sort of like web and other protocol based services that you can use so the slack one is a good example you give it a slack token and it will write the data to a slack channel and then the c2 server will read that data from the slack channel and so from the the network's perspective all they're seeing is connections to slack and if you use slack that's very hard to mark as malicious the problem with c3 is that the setup is quite cumbersome so you basically have to have your your malware implant running and another program running but it's like the sort of c3 proxy type thing and your your malware implant will connect to that and that will connect to slack or whatever you use and so i haven't really spent much time looking at obfuscating those in a way that would bypass endpoint defenses um because that would certainly be required and so i think it's a really good idea like if i could easily use teams or slack or one of these you know internet type sites as my c2 i think that would be a really good option and you know wouldn't be subject to the slowness of dns over https and you would get legitimate domains and all these things it's just there's not really an easy or or necessarily practical way to do that with existing frameworks right now our c3 is a good example but it's i don't think it's very operationally useful from at least not for me a ton of interest in uh measures and it sounds to me like you said look it requires a mature organization that's doing a lot of things well to catch it right i think if you're specifically relying on catching malware from the domains it's connecting to you're you're probably missing a lot more um that is a and that is something to look for and if you have a web proxy that categorizes domains and you have you know i don't know vendors that in this case like microsoft will try and prevent that that's a decent measure and will stop a lot of things right a lot of attackers are just going and buying domains and using them and they're very suspicious looking they're categorized as hacking but if you don't have a web proxy it's going to get by anyway but beyond that i think there's just lower hanging fruit to look for you still have malware running on a computer taking actions right and i think that that's going to be easier to detect than the beaconing to a domain a lot of the time now that being said i mean there's still products like ac hunter and i'm sure there are other things too that do that that i think are very effective against any of these um not not impossible to get around right we saw the solarwinds thing would begin once a week at first which i don't think ac hunter would see but again that's just one more measure that requires an extra step for the attacker to think of and so anything that you can do to build up those layers of things that they have to consider and get around i think you're more and more likely to catch them at one point even if it's not the c2 domain it might be something different yeah hey kyle have you ever used because i've heard this using uh mail a as a channel but kyle have you ever used google i'm not sure what they're talking as a proxy to exfiltrate data um i haven't i've seen some some uses of so google has google scripts which is sort of another serverless offering and i know that that's something that some people use so that's an option i've seen some posts about using like google docs or something for phishing but i don't really know too much about that off top my head but no no i haven't used any of that myself and the experience with c2 over public services such as spotify or youtube right so that's another one like the sort of c3 conversation that stuff is really cool and hard to detect but at least with the tools that i have that's not something that that is super practical at the moment i would like to do that but but it's just not something that i've had the time to do myself and there's not really public tools that do that a quick question for the audience is that tomorrow if you're in the baltimore dc delaware area on uh december 17th at 3 p.m we're meeting at heavy seas brewery so if you're part of the black hills community and you want to come out and join the rest of the people from the black hills community in the area come join us or let us know in the go to webinar or discord where you would like us to go next so we're our plan is to visit cities where you are and then bring you all together and i know there's covid and i know there's things and we'll do it as it's safe um but uh just let us know where would you like us to come to and we'll go there you're gonna get about 1 million or let's see at this point you'll get 375 answers here right although some people likely love the same things do you want to go to austin kyle's there awesome oh we're going austin for sure that's one of my favorites yeah san antonio we're going to san antonio too so we'll see you there kyle oh hey yeah that's even better yeah tampa we got lots of folk in tampa yeah and that seems like a good next one maybe there's a lot of black hill people there yeah tampa for sure i think here's a good one what would you use to practice this at home like don't try this at home folks no yeah i mean so really all you need is a c2 framework and a vm to run the malware in and then you can set up these cloud services um i already mentioned azure app services and cloudflare workers are free dns over https is free you might pay a couple cents for the aws or azure cdns and you might pay a couple of dollars a month for running an nginx box in aws but all of this you could do for for a very small amount of money or free in some cases and you could totally do this just with one vm at home it really doesn't require a ton of setup to try this out and see what it looks like and galen says madison south dakota galen just come to wild west hack and fest come on bro you're you're in the neighborhood just come on over you probably have uh matt wants us to come to kansas city we like that san jose hmm a little more difficult california thing yeah uh extreme paper clip says we need tour shirts yeah i think uh once we figure out what cities we'll come to we'll make some tourist shirts that'd be awesome i'll be a roadie all right everybody i think that's it for today thank you for joining us on this black hills information security webcast you know where to find us we do this quite often but we'll see in january of 2022 that's it everybody good all right cool all right bye everybody the webinar great job kyle thank you [Music]

Info

Channel: Black Hills Information Security

Views: 2,039

Rating: undefined out of 5

Keywords: Black Hills Information Security, BHIS, John Strand, Information Security, Infosec, Red Team, Penetration Testing, Pentesting, Pentester, Hacker, Hacking, Hackers, Ethical Hacking, Blue Team, Cybersecurity, Digital Foreniscs, DFIR, Incident Response, Incident Handling, Windows Logging, Sysmon, ATT&CK, Kill Chains, BSides, Security Weekly, Wild West Hackin Fest, WWHF, Honeybadger, ADHD, Cyber Deception, Active Defense, Active Countermeasures, Docker

Id: Dyh9gKzc_fU

Channel Id: undefined

Length: 98min 41sec (5921 seconds)

Published: Thu Dec 16 2021