Abusing corporate webmail for C&C and exfiltration

Let’s assume an organization that has basic security measures: workstations cannot make direct connections to the Internet, only being able to carry out web requests through a proxy server, which is also the only one that can make external DNS queries.

HTTP and DNS traffic generated by this proxy server are properly monitored, and the proxy “breaks” HTTPS, so techniques like the domain fronting can also be detected. Only a few whitelisted websites are accessible. [Read more…]

TLS client fingerprinting with Bro

In this post, we will play with Bro IDS as a client fingerprinting techniques exploration tool.

As is known, during the initial TLS handshake (used, among others, by HTTPS on web browsers), a message called ClientHello is exchanged. In this message, the client specifies the supported cryptographic primitives (the so-called cipher suites).

For example, Firefox 50.1.0 under Linux sends a ClientHello like this, as shown with the Wireshark dissector: [Read more…]

Simple domain fronting PoC with GAE C2 server

In this entry we continue with domain fronting; on this occasion we will explore how to implement a simple PoC of a command and control and exfiltration server on Google App Engine (GAE), and we will see how to do the domain fronting from Windows, with a VBS or PowerShell script, to hide interactions with the C2 server.

The goal

When we have everything ready, we will have a webservice at myc2server.appspot.com which we can use from a compromised Windows machine in the following way; we will have a command and control channel (on the path /e2e7765b71c1, as an authenticator):
[Read more…]

Camouflage at encryption layer: domain fronting

In today’s post we are goint to talk about a somewhat old technique (although programs like Signal have recently started using it) that I have always found to be a really clever hack:
domain fronting.

For example, let’s take the IP address of the frontal that serves www.google.es:

$ host www.google.es
www.google.es has address 216.58.210.227

If we take a look at the Common Name (CN) field of the TLS certificate returned by the server: [Read more…]

Reversing challenge

Today’s post is a challenge for reverse engineering lovers.... Leer Más