Brian Fehrman //
Someone recently posed a question to BHIS nearly creating C2 channels in environments where heavily restrictive egress filtering is being utilized. Testers at BHIS, and in the industry equally a whole, routinely come across this type of scenario. BHIS strongly encourages the apply of egress filtering. Every bit with many other security approaches, however, information technology is important to realize that this is just one piece of the overall security puzzle.
At that place are multiple ways to get effectually heavy egress-filtering (thanks to Beau for the links and insights in this department). In some cases, tools such equally ICMPSploit [one] can exist used to create C2 channels using the ICMP protocol. DNScat is a well-known tool that utilizes DNS requests and responses for C2 traffic. For this blog, nosotros are going to focus solely on environments that are simply allowing web-based traffic in and out of the environment. Nosotros will identify an boosted restriction on this scenario and assume that the environs as well uses web-proxy filtering. Information technology’s becoming more than common to meet companies not only block known bad sites just also block access to sites that have not received a categorization (eastward.m., Shopping, Financial, Sports, etc.) Even in this blazon of environment, there are numerous means to constitute C2 channels. Some of the methods include leveraging Gmail [ii] and Outlook . Domain-fronting via CDN services is also becoming increasingly pop .
I would like to focus on a web-proxy filtering bypass method that is known as domain-categorization have-over (thanks to harmj0y for the thought). I will walk you through the process of getting your own categorized domain and talk most some of the ways yous can employ it.
The showtime step is to find a recently expired domain that received a “good” categorization before it expired. The idea is that if you re-register a domain shortly later its previous owner failed to renew it, the categorization that was given to that domain will remain intact. How practice we go almost doing that? Easy!! Head on over to the site located at https://world wide web.expireddomains.cyberspace. Now, y’all can use this service without signing up for anything. I suggest taking merely a few minutes to sign upwards for a free account. With a registered account, you are afforded access to a lot more content than you practice if yous just browse anonymously. Afterwards logging in, you should run across something like to the screenshot beneath. I’ve highlighted the main area of interest. Click on one of the domain suffixes (eastward.chiliad., “Deleted .info Domains”). The .com sites will likely be the most expensive to register. I typically get for .info, which tin commonly be bought for about $1/year.
After clicking a Deleted Domain suffix, you will be taken to a page that shows recently expired domains with that suffix and a lot of information to keep with it. What does all of it mean? Well, I volition talk nearly what I feel are the almost important statistics. First, click on the “Show Filter” option.
The first thing that I like to do is to cheque the “no Adult Names” box. We don’t pass judgment here, but web-proxy filters sure exercise! Adjacent, I check the “only available Domains” box to ensure that domains that are currently registered do not announced in the list. The last change that I brand is to select the “SimilarWeb Top Land” to be the state in which my target resides. This tin help to reduce the suspicion of web-proxy filters. One time you’re satisfied with the filter options, click the “Apply Filter” button towards the lesser of the page.
Next, click on the “SimilarWeb” heading to sort the expired domains by their SimilarWeb ranking. Essentially, the lower the number the more “reputable” the site. Once I’ve practical the sorting, I showtime clicking through the SimilarWeb rating for the domains until I find one that has been assigned a category. In this case, clicking the SimilarWeb link for gtavdata.info shows that this site was categorized every bit “Reference->Maps” site. Seems innocuous plenty for our needs!
Now that we’ve constitute a suitable categorized-domain, we need to annals it. I advise using https://www.namesilo.com since it has a nice interface, seems to keep the domain categorization intact, and provides gratuitous WHOIS privacy. We don’t need hosting or anything fancy, just something to register the domain and set the A record for the domain. NameSilo besides makes it easy to set up Part 365 Mail with your domain but that is a word for another web log post. But type in the name of the domain that you found in the previous step and register abroad. Make sure to choice the correct domain extension (e.yard., .info, .com, .net, etc.) or else the trick likely won’t work.
After registering the domain name, sign in to namesilo.com and head to the DNS settings for that domain. The sequence of images below shows the general steps to get there.
Once you’ve found the DNS settings, click the edit push next to the first A record in the listing. Alter the IP accost of that A record to be the IP address of your C2/testing server and so click submit push.
Next, delete the other 3 default DNS records that NameSilo created for y’all and so that you are left with only the A tape that yous simply edited in the previous step.
Now, we patiently wait for the A record changes to propagate to the public. Namesilo.com seems to propagate the changes within fifteen minutes in about cases. Keep checking for the update by using your favorite DNS resolution tool confronting your new domain. In the image below, you tin can meet that I’ve used dig to verify that gtavdata.info at present points to my C2 server.
The next step that I commonly accept is to generate a valid, signed SSL-certificate for the new domain. Having a trusted document to use for encrypting your traffic will add to the power to bypass traffic-filtering mechanisms, help protect any sensitive data that might be transferred, and information technology can also evade some anti-virus tools that would otherwise see the unencrypted payload coming across the network. I propose logging into your C2 server and then checking out Carrie’s crawly blog post on how to do this quickly and for gratis! [v]
After generating your shiny-new SSL document, you’re ready to use your categorized domain-name for testing! Continue reading Carrie’s mail to see how to use your domain with PowerShell Empire.
You lot tin can likewise use your document and categorized domain with meterpreter and metasploit. Below is an example of using msfvenom to generate an HTA payload for my domain.
Before starting a listener for meterpreter, yous might want to host your payload so that you tin can transfer it into your testing environment. Y’all might also have other tools that you lot’d like to accept on your testing system for the assessment. Apache is one easy way to do this that takes reward of your certificate and domain. 1 suggestion is to create a folder in the /var/www/html directory on your arrangement. For this case, let’s phone call information technology serverfolder.
Copy your payload file and other tools to the directory that you just created. After copying the files, make sure that the Apache service is running. In the image beneath, I’ve copied the met_pay.hta payload file and the PowerLine toolset (teaser:upcoming webcast!) to my serverfolder directory.
You can now reach your files by opening a web browser and typing
The next task we volition do is to create a listener for our meterpreter payload. Afterwards downloading the files to your testing system, kill the Apache service on your server and start-up msfconsole.
Effect the commands shown in the screenshot below. Make certain to replace the handlersslcert value with the path to your certificate file.
Head back to the testing system on which you downloaded the payload and run it. Caput dorsum over to your server and savour the new session that was created using your categorized domain and signed SSL-document.
Follow Brian on the Twitters: @fullmetalcache
Shout-outs: Carrie Roberts, Sally Vandeven, Derek Banks, Boyfriend Bullock, harmj0y (and APT team), and others that I’grand probably forgetting…
[i] http://www.labofapenetrationtester.com/2015/05/calendar week-of-powershell-shells-day-5.html
Join the BHIS Blog Mailing List – go notified when we post new blogs, webcasts, and podcasts.
[jetpack_subscription_form show_only_email_and_button=”true” custom_background_button_color=”undefined” custom_text_button_color=”undefined” submit_button_text=”Subscribe” submit_button_classes=”undefined” show_subscribers_total=”true” ]