Networks

avatar
Created by
GiganticAngonoka72710

Subdecks (1)

Cards (73)

  • Data Exfiltration
    • Data exfiltration is a non-traditional approach for copying and transferring data from a compromised to an attacker's machine.
    • The data exfiltration technique is used to emulate the normal network activities, and It relies on network protocols such as DNS, HTTP, SSH, etc. Data Exfiltration over common protocols is challenging to detect and distinguish between legitimate and malicious traffic.
    • Some protocols are not designed to carry data over them. However, threat actors find ways to abuse these protocols to bypass network-based security products such as a firewall. 
  • What is Data Exfiltration
    • Data Exfiltration is the process of taking an unauthorized copy of sensitive data and moving it from the inside of an organization's network to the outside.
    • It is important to note that Data Exfiltration is a post-compromised process where a threat actor has already gained access to a network and performed various activities to get hands on sensitive data. Data Exfiltration often happens at the last stage of the Cyber Kill Chain model, Actions on Objectives.
  • Data Exfiltration
    • Data exfiltration is also used to hide an adversary's malicious activities and bypass security products. For example, the DNS exfiltration technique can evade security products, such as a firewall.
    Sensitive data can be in various types and forms, and it may contain the following:
    • Usernames and passwords or any authentication information.
    • Bank accounts details
    • Business strategic decisions.
    • Cryptographic keys.
    • Employee and personnel information.
    • Project code data.
  • How to use Data Exfiltration
    There are three primary use case scenarios of data exfiltration, including:
    1. Exfiltrate data
    2. Command and control communications.
    3. Tunneling
  • Traditional Data Exfiltration
    • The traditional Data Exfiltration scenario is moving sensitive data out of the organization's network. An attacker can make one or more network requests to transfer the data, depending on the data size and the protocol used.
    • Note that a threat actor does not care about the reply or response to his request. Thus, all traffic will be in one direction, from inside the network to outside. Once the data is stored on the attacker's server, he logs into it and grabs the data.
  • DNS Exfiltration: C2 Communications
    • Many C2 frameworks provide options to establish a communication channel, including standard and non-traditional protocols to send commands and receive responses from a victim machine.
    • In C2 communications a limited number of requests where an attacker sends a request to execute a command in the victim's machine. Then, the agent's client executes the command and sends a reply with the result over a non-traditional protocol. The communications will go in two directions: into and out of the network.
  • DNS Exfiltration: Tunneling
    • In the Tunneling scenario, an attacker uses this data exfiltration technique to establish a communication channel between a victim and an attacker's machine.
    • The communication channel acts as a bridge to let the attacker machine access the entire internal network. There will be continuous traffic sent and received while establishing the connection.
  • TCP Socket Exfiltration
    • Using the TCP socket is one of the data exfiltration techniques that an attacker may use in a non-secured environment where they know there are no network-based security products. If we are in a well-secured environment, then this kind of exfiltration is not recommended. This exfiltration type is easy to detect because we rely on non-standard protocols.
    • Besides the TCP socket, we will also use various other techniques, including data encoding and archiving. One of the benefits of this technique is that it encodes the data during transmission it harder to examine.
  • TCP Socket Exfiltration
    The diagram shows that two hosts communicate over TCP on port 1337 in the following steps:
    1. The first machine is listening over TCP on port 1337
    2. The other machine connects to the port specified in step 1. For example, nc 1.2.3.4 1337
    3. The first machine establishes the connection
    4. Finally, the sending and receiving data starts. For example, the attacker sends commands and receives results.
  • SSH Exfiltration
    • SSH protocol establishes a secure channel to interact and move data between the client and server, so all transmission data is encrypted over the network or the Internet.
    • To transfer data over the SSH, we can use either the Secure Copy Protocol SCP or the SSH client. Let's assume that we don't have the SCP command available to transfer data over SSH. Thus, we will focus more on the SSH client in this task.
    • An attacker needs to control a server, which in this case has an SSH server enabled, to receive the exfiltrated data. 
  • HTTP/S Exfiltration
    • This task explains how to use the HTTP/HTTPS protocol to exfiltrate data from a victim to an attacker's machine.
    • As a requirement for this technique, an attacker needs control over a webserver with a server-side programming language installed and enabled.
    • We will show a PHP-based scenario in this task, but it can be implemented in any other programming language, such as python, Golang, NodeJS, etc.
  • HTTP/S Exfiltration: HTTP POST Request
    • Exfiltration data through the HTTP protocol is one of the best options because it is challenging to detect. It is tough to distinguish between legitimate and malicious HTTP traffic.
    • We will use the POST HTTP method in the data exfiltration, and the reason is with the GET request, all parameters are registered into the log file. While using POST request, it doesn't.
  • HTTP/S Exfiltration: HTTP POST Request Benefits
    • POST requests are never cached
    • POST requests do not remain in the browser history
    • POST requests cannot be bookmarked
    • POST requests have no restrictions on data length
  • HTTP/S Exfiltration
    • In a typical real-world scenario, an attacker controls a web server in the cloud somewhere on the Internet.
    • An agent or command is executed from a compromised machine to send the data outside the compromised machine's network over the Internet into the webserver. Then an attacker can log in to a web server to get the data, as shown in the following figure.
  • HTTP Exfiltration
    To exfiltrate data over the HTTP protocol, we can apply the following steps:
    1. An attacker sets up a web server with a data handler. In our case, it will be web.thm.com and the contact.php page as a data handler.
    2. A C2 agent or an attacker sends the data. In our case, we will send data using the curl command.
    3. The webserver receives the data and stores it. In our case, the contact.php receives the POST request and stores it into /tmp.
    4. The attacker logs into the webserver to have a copy of the received data.
  • HTTP Tunneling
    • Tunneling over the HTTP protocol technique encapsulates other protocols and sends them back and forth via the HTTP protocol. HTTP tunneling sends and receives many HTTP requests depending on the communication channel!
    • For example, in our scenario, the uploader.thm.com server is reachable from the Internet and provides web services to everyone. However, the app.thm.com server runs locally and provides services only for the internal network as shown in the following figure: 
  • HTTP Tunneling
    • We will create an HTTP tunnel communication channel to pivot into the internal network and communicate with local network devices through HTTP protocol.
    • Let's say that we found a web application that lets us upload an HTTP tunnel agent file to a victim webserver, uploader.thm.com. Once we upload and connect to it, we will be able to communicate with app.thm.com. 
    • For HTTP Tunneling, we will be using a Neo-reGeorg tool to establish a communication channel to access the internal network devices
  • HTTP Tunneling
    • The following diagram shows the traffic flow as it goes through the uploader machine and then communicates with the internal network devices, which in this case, is the App machine.
    • Note that if we check the network traffic from the App machine, we see that the source IP address of incoming traffic comes from the uploader machine.
  • ICMP Exfiltration
    • Network devices such as routers use ICMP protocol to check network connectivities between devices. Note that the ICMP protocol is not a transport protocol to send data between devices. 
    • Let's say that two hosts need to test the connectivity in the network; then, we can use the ping command to send ICMP packets through the network, as shown in the following figure.
    • The HOST1 sends an ICMP packet with an echo-request packet. Then, if HOST2 is available, it sends an ICMP packet back with an echo reply message confirming the availability.
  • ICMP Data Section
    • On a high level, the ICMP packet's structure contains a Data section that can include strings or copies of other information, such as the IPv4 header, used for error messages. 
    • Note that the Data field is optional and could either be empty or it could contain a random string during the communications. As an attacker, we can use the ICMP structure to include our data within the Data section and send it via ICMP packet to another machine. The other machine must capture the network traffic with the ICMP packets to receive the data.
  • ICMP Exfiltration
    • The ping command in the Linux OS has an interesting ICMP option. With the -p argument, we can specify 16 bytes of data in hex representation to send through the packet. Note that the -p option is only available for Linux operating systems. 
    • Let's say that we need to exfiltrate the following credentials thm:tryhackme. First, we need to convert it to its Hex representation and then pass it to the ping command using -p options
  • ICMP Data Exfiltration
    • The Metasploit framework uses the same technique explained in the previous section. However, it will capture incoming ICMP packets and wait for a Beginning of File (BOF) trigger value. Once it is received, it writes to the disk until it gets an End of File (EOF) trigger value.
  • ICMP Data Exfiltration
    • Let's set up the Metasploit framework by selecting the icmp_exfil module to make it ready to capture and listen for ICMP traffic. 
    • One of the requirements for this module is to set the BPF_FILTER option, which is based on TCPDUMP rules, to capture only ICMP packets and ignore any ICMP packets that have the source IP of the attacking machine as follows,
  • ICMP C2 Communication
    • Executing commands over the ICMP protocol using the ICMPDoor tool. ICMPDoor is an open-source reverse-shell written in Python3 and scapy. 
    • The tool uses the same concept we discussed earlier in this task, where an attacker utilizes the Data section within the ICMP packet.
    • The only difference is that an attacker sends a command that needs to be executed on a victim's machine. Once the command is executed, a victim machine sends the execution output within the ICMP packet in the Data section.
  • What is DNS Data Exfiltration?
    Since DNS is not a transport protocol, many organizations don't regularly monitor the DNS protocol! The DNS protocol is allowed in almost all firewalls in any organization network. For those reasons, threat actors prefer using the DNS protocol to hide their communications.
    The DNS protocol has limitations that need to be taken into consideration, which are as follows,
    • The maximum length of the Fully Qualified FQDN domain name (including .separators) is 255 characters.
    • The subdomain name (label) length must not exceed 63 characters (not including .com, .net, etc).
  • DNS Data Exfiltration
    • Based on these limitations, we can use a limited number of characters to transfer data over the domain name. If we have a large file, 10 MB for example, it may need more than 50000 DNS requests to transfer the file completely. Therefore, it will be noisy traffic and easy to notice and detect.
  • DNS Data Exfiltration Process
    1. An attacker registers a domain name, for example, tunnel.com 
    2. The attacker sets up tunnel.com's NS record points to a server that the attacker controls.
    3. The malware or the attacker sends sensitive data from a victim machine to a domain name they control—for example, passw0rd.tunnel.com, where passw0rd is the data that needs to be transferred.
  • DNS Data Exfiltration Process
    • 4. The DNS request is sent through the local DNS server and is forwarded through the Internet.
    • 5. The attacker's authoritative DNS (malicious server) receives the DNS request.
    • 6. Finally, the attacker extracts the password from the domain name.
  • When do we need to use the DNS Data Exfiltration?
    • There are many use case scenarios, but the typical one is when the firewall blocks and filters all traffic.
    • We can pass data or TCP/UDP packets through a firewall using the DNS protocol, but it is important to ensure that the DNS is allowed and resolving domain names to IP addresses.
  • DNS Data Exfiltration
    1. Get the required data that needs to be transferred.
    2. Encode the file using one of the encoding techniques.
    3. Send the encoded characters as subdomain/labels.
    4. Consider the limitations of the DNS protocol. Note that we can add as much data as we can to the domain name, but we must keep the whole URL under 255 characters, and each subdomain label can't exceed 63 characters. If we do exceed these limits, we split the data and send more DNS requests!
  • DNS Data Exfiltration
    • Now let's explain the manual DNS Data Exfiltration technique and show how it works. Assume that we have a creds.txt file with sensitive data, such as credit card information.
    • To move it over the DNS protocol, we need to encode the content of the file and attach it as a subdomain name as follows,
  • C2 Communications over DNS
    • C2 frameworks use the DNS protocol for communication, such as sending a command execution request and receiving execution results over the DNS protocol. They also use the TXT DNS record to run a dropper to download extra files on a victim machine. This section simulates how to execute a bash script over the DNS protocol. We will be using the web interface to add a TXT DNS record to the tunnel.com domain name.
  • C2 Communications over DNS
    • For example, let's say we have a script that needs to be executed in a victim machine. First, we need to encode the script as a Base64 representation and then create a TXT DNS record of the domain name you control with the content of the encoded script.
    • The following is an example of the required script that needs to be added to the domain name:
  • C2 Communications over DNS
    • Now that we have the Base64 representation of our script, we add it as a TXT DNS record to the domain we control, which in this case, the tunnel.com. You can add it through the web interface we provide http://10.10.154.3/ or https://10-10-154-3.p.thmlabs.com/ without using a VPN. 
    • Once we added it, let's confirm that we successfully created the script's DNS record by asking the local DNS server to resolve the TXT record of the script.tunnel.com. If everything is set up correctly, we should receive the content we added in the previous step. 
  • DNS Tunneling (TCPoverDNS)
    • This technique is also known as TCP over DNS, where an attacker encapsulates other protocols, such as HTTP requests, over the DNS protocol using the DNS Data Exfiltration technique. 
    • DNS Tunneling establishes a communication channel where data is sent and received continuously.
    • We will be using the iodine tool for creating our DNS tunneling communications