APEC Flashcards
How does Firewalling come into
play for C2 channels?
- Forces direction of Traffic
- Forces specific ports
- Allows Blue to redirect, such as to
a web proxy - Allows Blue to control DNS
resolution
What do firewalls do to packets?
Firewalls either allow or block packets
how are firewalls implemented?
They can be implemented as software programs or hardware devices
What layers do firewalls operate at?
Operate at Layers 3 & 4 (Network & Transport)
What are firewalls main purpose?
Used to prohibit forbidden information from
passing though, while allowing approved
information.
based on a set of rules that pass
or reject packets
what is stateless firewall?
Does not track connections.
No knowledge of which IP is talking to who
what is a stateful firewall?
Can identify and track when a connection is being established. Packets that are part of that connection can be treated
differently.
possible states in a stateful firewall
- New: First packet in conversation. (ie TCP Three-Way
Handshake SYN packet) - Established: Packets seen in both directions. (ie TCP Session)
- Related: A new connection spawned by an established
connection. (ie FTP data transfer connection spawned from
FTP command connection) - Invalid: Not part of any recognized connection
iptables three main constructs?
Tables
* Main packet processing component
Chains
* List of rules associated with tables
Targets
* Result of a rule triggering inside a
chain
What are some attributes of good protocols to hide a c2 channel in?
- Common
- Supports Encryption
- Allowed out of Firewall
- High Bandwidth
places to hide in web traffic?
- Cookies and other headers
- Url Parameters
- Post Data
- Stenography in Files
- Broken up Across Requests
- Encoded/Encrypted content
How does DNS come into play for C2 channels?
- We use domains to better blend in
- We often rely on the target
network for DNS resolution - In many networks, DNS requests are made in plaintext
- Domains are a common IOC for malware, with many blocklists out there of known malicious domains.
what is dns sinkholing?
DNS sinkholing is very simply making a custom
DNS record for a known malicious domain.
The custom record will point to some bogus IP.
The client requesting DNS resolution will get this
bogus IP and no longer be able to call back
home.
Knowing that sinkholing is a threat to our Malware over time, how might we protect the domains we are using from getting sinkholed?
- Rotate domains.
- Use a different DNS server.
- Use encrypted DNS resolution.
- Don’t use DNS at all!
How does HTTPS come into play
for C2 channels?
- Turns Web traffic into an encrypted
channel - Uses certificates to confirm server
identity - Client/Server negotiate encrypted
session
what are two attributes of TLS in terms of HTTPS
- Modern HTTPS is driven by the Transport Layer Security protocol.
- It establishes a symmetric encrypted session on top of the TCP connection.
What are the steps of the TLS handshake
- Client Hello
- Server Hello
- Key Exchange
what happens during the “Client hello” during the TLS handshake
- Gives the server some cipher suite options
- Optionally provides a Server Name Identification field (SNI) specifying which host the client wants to connect to
what happens during the “Client hello” during the TLS Server
- Selects a cipher suite
- Sends the servers certificate, selects the cert based on the SNI if
provided
what happens during the “Key Exchange” during the TLS handshake
- After validating the certificate, they then use the public key in the certificate in some fashion to establish the pre master secret
how does the certificate exchange and handshakes effect a red team.
- Need to consider getting our C2 servers certificates signed
- Need to consider whether the cipher suites our implant uses blends in well in the target network (ja#hashing relies on this info)
- The version of TLS that our C2 server supports can have significant impact on what is seen by outside observers
What two groups of people are heavily benefited by encrypted web
- Regular users
- Malware authors
what are some form of traffic inspection
- Timing analysis
- TLS Handshake analysis (ja# hashes for example)
- Packet size
- SNI values or previous DNS resolution.
- Inspecting Web Certificates
What is a Explicit web proxy
- Similar to the socks proxy, if you want to use it, you need to configure your system to point to it.
- We will know that our traffic is getting proxied.
