trick or xfltreat a k a tunnel all the things
play

Trick or XFLTReaT a.k.a. Tunnel all the things Balazs Bucsay / - PowerPoint PPT Presentation

Dec 12, 2022 •274 likes •736 views

Trick or XFLTReaT a.k.a. Tunnel all the things Balazs Bucsay / @xoreipeip Senior Security Consultant @ NCC Group Bio / Balazs Bucsay Hungarian hacker Senior Security Consultant @ NCC Group Strictly technical certificates: OSCE,

  1. Trick or XFLTReaT a.k.a. Tunnel all the things Balazs Bucsay / @xoreipeip Senior Security Consultant @ NCC Group

  2. Bio / Balazs Bucsay • Hungarian hacker • Senior Security Consultant @ NCC Group • Strictly technical certificates: OSCE, OSCP, OSWP, GIAC GPEN, CREST CCT/2 • Lots of experience in offensive security • Started with ring0 debuggers and disassemblers in 2000 (13 years old) • Major projects: • GI John (2009) – Hacktivity • Chw00t (2015) – PHDays, DeepSec, Hacktivity • XFLTReaT (2017) – RuxCon, BruCON, HITB GSEC, Shakacon • Twitter: @xoreipeip • Linkedin: https://www.linkedin.com/in/bucsayb

  3. Presentations • Talks around the world: • Ghent (BE) / BruCON • Singapore (SG) / Hack in the Box GSEC • Honolulu (HI) / Shakacon • Atlanta (GA) / Hacker Halted • Moscow (RU) / PHDays • Oslo (NO) / HackCon • Vienna (AT) / DeepSec • Budapest (HU) / Hacktivity • London (UK) / Inf. Gov. & eDiscovery Summit • There is some more space here … @xoreipeip

  4. Tunnels

  5. Without a tunnel @xoreipeip

  6. With a tunnel @xoreipeip

  7. Why would one use tunnels? • Work VPN – to access the corporate internal network • Hide real IP address • Whistle-blowers/Journalists to communicate anonymously • Torrent • ISPs filtering some ports (secure IMAP, SMTPS, NetBIOS, … ) • Bypass corporate proxy policy • Bypass captive portals!? • What about you? @xoreipeip

  8. Have you done … tunnelling? Protocol Tool TCP @xoreipeip

  9. Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP @xoreipeip

  10. Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP @xoreipeip

  11. Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP Hans Ping Tunnel ICMPTx DNS @xoreipeip

  12. Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP Hans Ping Tunnel ICMPTx DNS iodine DNSCat* Ozymandns HTTP CONNECT Proxifier OpenVPN Pure HTTP ? TLS v1.2 ? TLS v1.2 with Kerberos auth ? @xoreipeip

  13. Two days on a ferry (Port TCP/443 unfiltered) Oh no! I forgot to set up my OpenVPN on port 443

  14. 10 hour flight to Japan (ICMP unfiltered)

  15. At the airport (DNS unfiltered)

  16. What did I see? Get tired of: • As many protocols as many solutions • Hard to modify the existing ones • No modularity • Portability issues • Configuration issues • Unsupported/EoL tools • No automation at all • It is just hard, but it does not have to be! @xoreipeip

  17. XFLTReaT The beast was born!

  18. Tunnelling theory 101 / MTU @xoreipeip

  19. What is XFLTReaT? XFLTReaT (say exfil-treat or exfiltrate) • Tunnelling framework • Open-source • Python based • OOP • Modular • Multi client • Plug and Play (at least as easy as it can be) • Check functionality @xoreipeip

  20. Easy, modular, plug & play • Install: • git clone & pip install • edit config • run • Tunnels, encryption, authentication etc. are modular • Plug and play: • Copy new module into modules/, support files to support/ • edit config • run @xoreipeip

  21. Framework, as it is You do not have to: • Set up the routing • Handle multiple users • Create and set up an interface or interfaces • Care about encryption, authentication or encoding You only have to: • Encapsulate your packets into your protocol • Implement protocol related things @xoreipeip

  22. Check functionality • Easy way to figure out, which protocol is not filtered on the network • Automated approach: No deep knowledge is needed • Client sends a challenge over the selected (or all) modules to the server • If the server responses with the solution: • We know that the server is up and running • The specific module/protocol is working over the network • Connection can be made @xoreipeip

  23. One interface to rule them all @xoreipeip

  24. Channels • There are two channels in every tunnel • Data: data transmission • Control: control messages • Check message/response • Authentication related messages • Logoff message • Dummy message for keep-alive and query request • Auto-tune messages • etc. @xoreipeip

  25. Ease of development

  26. Module tree @xoreipeip

  27. Ease of use/development • Only web traffic allowed? @xoreipeip

  28. Ease of use/development • Only web traffic allowed? Set your server on port TCP/80 • Only ICMP type 0 allowed? @xoreipeip

  29. Ease of use/development • Only web traffic allowed? Set your server on port TCP/80 • Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 • HTTP should work, but only with special header? @xoreipeip

  30. Ease of use/development • Only web traffic allowed? Set your server on port TCP/80 • Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 • HTTP should work, but only with special header? Set the header in source • HTTPS allowed but only with TLS v1.2? @xoreipeip

  31. Ease of use/development • Only web traffic allowed? Set your server on port TCP/80 • Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 • HTTP should work, but only with special header? Set the header in source • HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only • Special authentication over HTTP proxy? @xoreipeip

  32. Ease of use/development • Only web traffic allowed? Set your server on port TCP/80 • Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 • HTTP should work, but only with special header? Set the header in source • HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only • Special authentication over HTTP proxy? Implement the auth, change the config • Want to send data over text/SMS? @xoreipeip

  33. Ease of use/development • Only web traffic allowed? Set your server on port TCP/80 • Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 • HTTP should work, but only with special header? Set the header in source • HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only • Special authentication over HTTP proxy? Implement the auth, change the config • Want to send data over text/SMS? Handle connection with your phone from a module • PROTIP: just use the source! @xoreipeip

  34. SCTP + WebSocket • SCTP module created and submitted by @info_dox • Best example of how easy to create a standard tunnel • Please use the next-version branch for developing • Create issues • WebSocket module added • Created a new tunnel in 3-4 hours • Ideal for proxies if WebSocket is supported • What is your next module? @xoreipeip

  35. DEMO

  36. A few technical details • TCP is pretty easy • New connection/new thread for all users • UDP introduced new challenges • Stateless - One socket for all users • Sender address needs to be checked • ICMP • Just like UDP it is stateless as well • Identifier and sequence tracking (for NAT/Firewalls) • As many request as many answers @xoreipeip

  37. DNS module • The DNS module is not 100% yet • Zonefile support included • Supports A/CNAME, PRIVATE and NULL records (easily extendable) • Tested with Bind9 • Auto tune functionality checks: • Which is the best encoding and length for upstream • Which is the best encoding, length and record type down downstream • Example: NULL record with no encoding with 300bytes downstream @xoreipeip

  38. Why tunnelling can’t be done over A record • Question of all time! • A request with CNAME answer is possible • A request with A answer is not (really?) • A / AAAA records can have 4/16 bytes long payload • Simple TCP ACK packet is 66 bytes • This means 17 DNS packets / ACK • 338 packets for a full size TCP packet (with MTU set 1350) @xoreipeip

  39. Offense • Bypass basic obstacles • Specific ports are unfiltered (TCP / UDP) • DNS allowed • ICMP allowed • Bypass not that basic obstacles • Specific protocol allowed (IPS or any other active device in place) • Special authentication required • Exfiltrate information from internal networks • Get unfiltered internet access @xoreipeip

  40. Defense for companies Check your network settings • Check functionality • Try to exfiltrate data – check whether your active network device can catch it Captive portals • Drop all packets that are addressed to external until not authenticated • All DNS query should have the same response (the portal) @xoreipeip

  41. Defense for companies No solution is 100% secure • Do not route your network to the internet • Disable all traffic between the internet and internal network • Use HTTP Proxy and enforce it • Whitelist ports (80 and 443, would you need anything else?) • Blacklist websites (does not really help on XFLTReaT) • DNS • Filter external DNS queries if possible (let HTTP proxy do the resolving) @xoreipeip

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Eiganes tunnel / Ryfast Worlds longest sub-sea road-tunnel, a city tunnel, and a sub-sea

Eiganes tunnel / Ryfast Worlds longest sub-sea road-tunnel, a city tunnel, and a sub-sea

Eiganes tunnel / Ryfast Worlds longest sub-sea road-tunnel, a city tunnel, and a sub-sea city-tunnel Stavanger Norway's fourth largest city with a population of 170,000. The centre of Norway's off-shore oil and gas industry. Rogfast 2015-

266 views • 12 slides
A tunnel discovery and A tunnel discovery and monitoring overview monitoring overview Ryszard

A tunnel discovery and A tunnel discovery and monitoring overview monitoring overview Ryszard

A tunnel discovery and A tunnel discovery and monitoring overview monitoring overview Ryszard Jurga CERN openlab Agenda Agenda What is the tunnel? The tunnel discovery The tunnel monitoring Conclusions What is the tunnel?

476 views • 14 slides
The Deepest Tunnel in London Lee Tunnel - Setting New Industry Standards ConsMa 2014 Seoul,

The Deepest Tunnel in London Lee Tunnel - Setting New Industry Standards ConsMa 2014 Seoul,

The Deepest Tunnel in London Lee Tunnel - Setting New Industry Standards ConsMa 2014 Seoul, Korea Bill Van Wagenen Sr. VP and Program Manager, CH2MHILL March 11, 2014 What I Will Cover Why Lee Tunnel What Are We Building

2.13k views • 33 slides
THE BEST CARD TRICK MICHAEL KLEBER In Mathematical Intelligencer 24 #1 (Winter 2002) You, my

THE BEST CARD TRICK MICHAEL KLEBER In Mathematical Intelligencer 24 #1 (Winter 2002) You, my

THE BEST CARD TRICK MICHAEL KLEBER In Mathematical Intelligencer 24 #1 (Winter 2002) You, my friend, are about to witness the best card trick there is. Here, take this ordinary deck of cards, and draw a hand of five cards from it. Choose them

404 views • 5 slides
Tunnel End-point Discovery Tunnel End-point Discovery draft-palet-v6ops-tun-auto-disc-03.txt

Tunnel End-point Discovery Tunnel End-point Discovery draft-palet-v6ops-tun-auto-disc-03.txt

Tunnel End-point Discovery Tunnel End-point Discovery draft-palet-v6ops-tun-auto-disc-03.txt Tunnel End-point Discovery IPv6-in-IPv4 Tunnel End-point Discovery Is this something we have to provide? A different discussion.. Scope of the

659 views • 8 slides
John Keefe Director of Public Affairs 1 2 The Channel Tunnel Technical characteristics

John Keefe Director of Public Affairs 1 2 The Channel Tunnel Technical characteristics

John Keefe Director of Public Affairs 1 2 The Channel Tunnel Technical characteristics Longest undersea tunnel in the world 2 rail tunnels and a service tunnel, each 50km long, bored at an average of 40m below the sea bed

482 views • 20 slides
Models in spintronics (Part II) OUTLINE : Spin-dependent transport in magnetic tunnel junctions

Models in spintronics (Part II) OUTLINE : Spin-dependent transport in magnetic tunnel junctions

Models in spintronics (Part II) OUTLINE : Spin-dependent transport in magnetic tunnel junctions -Introduction to tunnel effect -magnetic tunnel junctions and tunnel MR -Julliere model -Slonczewskis model (free electron gas) -Crystalline

1.21k views • 59 slides
More $ (caches, yes) Trick or treat! Midterm

More $ (caches, yes) Trick or treat! Midterm

University of Washington More $ (caches, yes) Trick or treat! Midterm ques>ons? Note: prac+ce midterms posted HW 2 due today Lab

1.15k views • 70 slides
BLUE PLAINS TUNNEL DC CLEAN RIVERS PROJECT Tunnel Achievement Awards Banquet 10th Annual

BLUE PLAINS TUNNEL DC CLEAN RIVERS PROJECT Tunnel Achievement Awards Banquet 10th Annual

District of Columbia Water and Sewer Authority George S. Hawkins, CEO and General Manager BLUE PLAINS TUNNEL DC CLEAN RIVERS PROJECT Tunnel Achievement Awards Banquet 10th Annual Breakthroughs in Tunneling Short Course August 15, 2017

640 views • 26 slides
Tunnel Presentation Tim Smart 27 th June 2016 P1509 (1) HOL/10014/0002 Tunnel Briefing Agenda

Tunnel Presentation Tim Smart 27 th June 2016 P1509 (1) HOL/10014/0002 Tunnel Briefing Agenda

Tunnel Presentation Tim Smart 27 th June 2016 P1509 (1) HOL/10014/0002 Tunnel Briefing Agenda 1. Operational aspects of tunnels (1) Safety arrangements (2) Noise and vibration (3) Vent shafts and smoke control (4) Energy use in tunnels 2.

635 views • 39 slides
The trick in biology is to select, from the thousands of facts that you know, the three that are

The trick in biology is to select, from the thousands of facts that you know, the three that are

The trick in biology is to select, from the thousands of facts that you know, the three that are relevant to your problem, and to not be disturbed that they contradict each other. Eric Wieschaus (paraphrased) Mark Voorhies 3D Structures 3D

790 views • 11 slides
THE L TRAIN TUNNEL PROJECT REPORT THE L TRAIN TUNNEL REVIEW TEAM Mary Boyce

THE L TRAIN TUNNEL PROJECT REPORT THE L TRAIN TUNNEL REVIEW TEAM Mary Boyce

THE L TRAIN TUNNEL PROJECT REPORT THE L TRAIN TUNNEL REVIEW TEAM Mary Boyce , Lance Collins , Dean of Engineering, Joseph Silbert Dean of Engineering, Morris C. And Alma Cornell University Schapiro Professor, Columbia

499 views • 39 slides
Parallel Thimble Shoal Tunnel Project Chesapeake Bay Bridge and Tunnel Agenda Item #11 Parallel

Parallel Thimble Shoal Tunnel Project Chesapeake Bay Bridge and Tunnel Agenda Item #11 Parallel

Parallel Thimble Shoal Tunnel Project Chesapeake Bay Bridge and Tunnel Agenda Item #11 Parallel Thimble Shoal Tunnel Project Location Existing Crossover Proposed Parallel #2 Island Thimble Shoal Tunnel (SB Traffic) Existing Thimble Shoal

453 views • 8 slides
Revision of Carpal Tunnel Release for Revision of Carpal Tunnel Release for Persistent or

Revision of Carpal Tunnel Release for Revision of Carpal Tunnel Release for Persistent or

2014 ASPS 2014 ASPS Revision of Carpal Tunnel Release for Revision of Carpal Tunnel Release for Persistent or Recurrent Persistent or Recurrent Carpal Tunnel Syndrome Carpal Tunnel Syndrome Chao-Ming Wu, Yu-Te Lin, Bon-Yun Chou, Chih-Hao

297 views • 15 slides
TUNNEL PROJECT U-WALL + FLOOD GATE ENCLOSURE CONCEPT FEBRUARY 10, 2012 PORT OF MIAMI TUNNEL

TUNNEL PROJECT U-WALL + FLOOD GATE ENCLOSURE CONCEPT FEBRUARY 10, 2012 PORT OF MIAMI TUNNEL

PORT OF MIAMI TUNNEL PROJECT U-WALL + FLOOD GATE ENCLOSURE CONCEPT FEBRUARY 10, 2012 PORT OF MIAMI TUNNEL WATSON ISLAND 02.10.2012 PORT OF MIAMI TUNNEL WATSON - TUNNEL ENTRY 02.10.2012 PORT OF MIAMI TUNNEL WATSON - TUNNEL ENTRY

560 views • 19 slides
Twin Peaks Tunnel Improvements Project February 22, 2017 Project Overview Extensive

Twin Peaks Tunnel Improvements Project February 22, 2017 Project Overview Extensive

Twin Peaks Tunnel Improvements Project February 22, 2017 Project Overview Extensive rehabilitation of tunnel and internal system Full track replacement Fire suppression system Tunnel drainage system Seismic upgrades to Eureka

131 views • 11 slides
ASEAN Regional Forum WORKSHOP ON ILLEGAL, UNREPORTED AND UNREGULATED FISHING Fisheries Crime and

ASEAN Regional Forum WORKSHOP ON ILLEGAL, UNREPORTED AND UNREGULATED FISHING Fisheries Crime and

ASEAN Regional Forum WORKSHOP ON ILLEGAL, UNREPORTED AND UNREGULATED FISHING Fisheries Crime and Transnational Organized Crime Bali (Indonesia) 20 th April 2016 12 Apr 2016 A multi-sectorial problem Environment Rule of Trade Law

234 views • 19 slides
INTRODUCTION TO WIRELESS SENSOR NETWORKS Marco Zennaro, ICTP Trieste-Italy Wireless sensor

INTRODUCTION TO WIRELESS SENSOR NETWORKS Marco Zennaro, ICTP Trieste-Italy Wireless sensor

INTRODUCTION TO WIRELESS SENSOR NETWORKS Marco Zennaro, ICTP Trieste-Italy Wireless sensor networks A Wireless Sensor Network is a self- configuring network of small sensor nodes communicating among themselves using radio signals, and

1.31k views • 34 slides
MapFish WebGIS An Open Source Webmapping Project Elisabeth Leu, Camptocamp SA Emmanuel Belo,

MapFish WebGIS An Open Source Webmapping Project Elisabeth Leu, Camptocamp SA Emmanuel Belo,

MapFish WebGIS An Open Source Webmapping Project Elisabeth Leu, Camptocamp SA Emmanuel Belo, Camptocamp SA Agenda Camptocamp What is MapFish MapFish and Cloud Conclusion www.camptocamp.com / May 9, 2014 2/27 Open Source

487 views • 27 slides
Commitments of the OSCE participating States relevant to the postponement of the return of

Commitments of the OSCE participating States relevant to the postponement of the return of

osce.org/odihr Commitments of the OSCE participating States relevant to the postponement of the return of irregular migrants 22 March 2017 Riga, Latvia osce.org/odihr Migrants, asylum seekers and refugees in the OSCE region: statistics for

212 views • 20 slides
Asylum seekers from the Balkans: Statistical data Table 1: Asylum seekers from Western Balkans

Asylum seekers from the Balkans: Statistical data Table 1: Asylum seekers from Western Balkans

Presentation: Freedom of movement in a populist age - Why Balkan visa liberalisation is (still) a success Brussels, 1 July 2011 Asylum seekers from the Balkans: Statistical data Table 1: Asylum seekers from Western Balkans countries in the EU,

464 views • 8 slides
Finance Bill 2020 vs Finance Act 2020 - International Taxation Perspective International Taxation

Finance Bill 2020 vs Finance Act 2020 - International Taxation Perspective International Taxation

Finance Bill 2020 vs Finance Act 2020 - International Taxation Perspective International Taxation Study Group of CTC Sunil Maloo FCA, LLB, DIIT, DISA Ahmedabad Agenda 2 Modification of Residency Provisions 01 Changed Residency Norms for

522 views • 48 slides
Functional Programming Invades Architecture George Fairbanks SATURN 2017 3 May 2017 1

Functional Programming Invades Architecture George Fairbanks SATURN 2017 3 May 2017 1

Functional Programming Invades Architecture George Fairbanks SATURN 2017 3 May 2017 1 Programming in the Large Yesterday: Functional Programming is PITS, i.e., just inside modules Today: FP is also PITL DeRemer and Kron,

626 views • 34 slides
A SOCIAL NETWORK ON STREAMS 2 DRIVETRIBE D RIVETRIBE The world biggest motoring community.

A SOCIAL NETWORK ON STREAMS 2 DRIVETRIBE D RIVETRIBE The world biggest motoring community.

DRIVETRIBE ENGINEERING A SOCIAL NETWORK ON STREAMS 2 DRIVETRIBE D RIVETRIBE The world biggest motoring community. A social platform for petrolheads. By Clarkson, Hammond and May. 3 DRIVETRIBE D RIVETRIBE A content destination

979 views • 70 slides

More recommend