User Tools
script:x509_ext_c2
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
script:x509_ext_c2 [2018/02/08 18:16] veera [The Full Text Search FTS Document] |
script:x509_ext_c2 [2018/02/08 18:31] (current) veera [Analysing the sample PCAP in Trisul] |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| I saw a couple of blogs about a new way to create a C2 (Command and Control) channel using X.509 Certificates. This technique is described in //Abusing X.509 Certificates for Covert Data Exchange// ((Dark Reading https://www.darkreading.com/attacks-breaches/abusing-x509-digital-certificates-for-covert-data-exchange/d/d-id/1330984?_mc=sm_dr&hootPostID=a10970e131beaf9b5a7ac86b0564b114)) and the original link on the //Fidelis Blog Whats missing is in front of us// ((Fidelis Security Blog https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities)) and also on the //Network Miner blog Examining a X.509 Covert Channel// (( Network Miner blog post https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities )) I'd also like to mention the author [[https://twitter.com/sysopfb|Jason Reaves]] | I saw a couple of blogs about a new way to create a C2 (Command and Control) channel using X.509 Certificates. This technique is described in //Abusing X.509 Certificates for Covert Data Exchange// ((Dark Reading https://www.darkreading.com/attacks-breaches/abusing-x509-digital-certificates-for-covert-data-exchange/d/d-id/1330984?_mc=sm_dr&hootPostID=a10970e131beaf9b5a7ac86b0564b114)) and the original link on the //Fidelis Blog Whats missing is in front of us// ((Fidelis Security Blog https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities)) and also on the //Network Miner blog Examining a X.509 Covert Channel// (( Network Miner blog post https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities )) I'd also like to mention the author [[https://twitter.com/sysopfb|Jason Reaves]] | ||
| - | In this technique the covert channel is built by stuffing chunks of data into X.509 Certificate Extensions, in this case the "Subject Key Identifier" aka SKI extension. This is usually a hash of 20 bytes. However this is not used in certificate validation and it appears from the researchers that the network defenses are not checking if this contains a valid value. The C2 POC uses a large number of certificates with SKI values of 10,000 bytes ! | + | In this technique the covert channel is built by stuffing chunks of data into X.509 Certificate Extensions, in this case the "Subject Key Identifier" aka SKI extension. This is usually a hash of 20 bytes. However this is not used in certificate validation and it appears current commercial network defenses are not checking if this contains a valid value. The C2 POC uses a large number of certificates with SKI values of 10,000 bytes ! |
| - | Detecting this is quite easy with Trisul as well as Bro IDS. This post highlights the different approaches taken. | + | Detecting this is quite easy with [[https://trisul.org/docs/lua|Trisul]] as well as [[https://www.bro.org/|Bro IDS]]. This post highlights the Trisul approach. |
| - | ===== The Full Text Search FTS Document ===== | + | ===== Trisul vs Bro approaches to the same problem ===== |
| Trisul extracts metadata from network traffic and makes them available to LUA Scripts. There are two //streams// your scripts can plug into. | Trisul extracts metadata from network traffic and makes them available to LUA Scripts. There are two //streams// your scripts can plug into. | ||
| - | - the **Resource** stream: these are shorter summaries of the meta data. For example the DNS Resources would be one line summary of question and answers | + | - the **Resource** stream: these are shorter summaries of the meta data. For example the DNS Resources would be one line summary of question and answers. SSL Resources contain the DER format certificate chain. |
| - | - the **FTS** stream: a complete text dump of the meta data. The DNS FTS stream would be a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, the FTS stream passes text documents that mirror the `openssl x509` command. | + | - the **FTS** stream: a complete text dump in some canonical format. For example : The DNS FTS stream would contain documents with a full dump of all DNS fields - much like the DIG format. Similarly for SSL Certificates, the FTS stream passes text documents that mirror the `openssl x509` command. |
| - | You can see the **different approach taken by Trisul NSM compared to Bro IDS**. Instead of fine grained events, Trisul provides a text document. | + | You can see the **different approach taken by Trisul NSM compared to Bro IDS**. Instead of fine grained events preferred by Bro IDS, Trisul provides a text document. If you wanted to parse the document yourself, you can do that as well using LuaJIT FFI. Here is an example of FFI'ing [[https://github.com/trisulnsm/trisul-scripts/blob/master/lua/backend_scripts/roca/roca.lua|into the OpenSSL BIGNUM library]] from a script |
| ==== Analysing the sample PCAP in Trisul ==== | ==== Analysing the sample PCAP in Trisul ==== | ||
| Line 24: | Line 24: | ||
| - | Next you have to write a small LUA script that plugs into the FTS Stream. Your script will then get a chance to process each certificate //out of the fast packet path//. The Trisul LUA API provides the [[https://www.trisul.org/docs/lua/fts_monitor.html|FTS Monitor script]] for exactly this purpose. | + | Next you have to write a small LUA script that plugs into the FTS SSL Certs Stream. Your script will then get a chance to peek at each certificate //out of the fast packet path//. By moving this out of the //Fast Packet Path// ((For more on Fast Path and Slow Path in Trisul LUA API see [[https://www.trisul.org/docs/lua/basics.html#stream_processing|"Stream Processing"]])) Trisul gives your scripts a large time budget a few seconds to process without incurring packet loss. The Trisul LUA API provides the [[https://www.trisul.org/docs/lua/fts_monitor.html|FTS Monitor script]] for exactly this purpose. |
| - | I just put together a quick [[https://github.com/trisulnsm/trisul-scripts/blob/master/lua/backend_scripts/fts/c2-x509-fts.lua|FTS Monitor LUA script on GitHub]] that demonstrates how you can pick apart the cert using simple regex. The snippet is shown below | + | I just put together a quick [[https://github.com/trisulnsm/trisul-scripts/blob/master/lua/backend_scripts/fts/c2-x509-fts.lua|FTS Monitor LUA script on GitHub]] that demonstrates how you can pick apart the cert using a simple regex. The snippet is shown below |
| <code lua> | <code lua> | ||
| Line 47: | Line 47: | ||
| - Use a Regex to capture the bytestring in // X509v3 Subject Key// | - Use a Regex to capture the bytestring in // X509v3 Subject Key// | ||
| - | - If above 32 characters then we suspect something fishy , you can also generate an alert at this point using the ''engine:add_alert(..)'' method. | + | - If the SKI extension is greater than 32 characters then we suspect something fishy. You may even generate an alert at this point using the ''engine:add_alert(..)'' method. |
| - Open a tmp file the convert the hex to binary and dump the contents there. | - Open a tmp file the convert the hex to binary and dump the contents there. | ||
| - | If you place this script in the LUA folder ''/usr/local/etc/trisul-probe/plugins/lua'' and re-ran the PCAP file, then you would get a number of files in the tmp folder containing chunks of the Mimikatz binary. Then when you run the //file// command you can see the chunk that contain the PE Header show up. You can also do this as part of the script itself. | + | If you place this script in the LUA folder ''/usr/local/etc/trisul-probe/plugins/lua'' and re-run the PCAP file, then you would get a number of files in the tmp folder containing chunks of the Mimikatz binary. When you run the //file// command you can see the chunk that contain the PE Header show up. You can also do this as part of the script itself. |
| {{:script:mimi1.png|}} | {{:script:mimi1.png|}} | ||
script/x509_ext_c2.1518113774.txt.gz · Last modified: 2018/02/08 18:16 by veera
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
