Firewall Evasion – Xc0re Security Research Group

TCP based covert channel (ChorTCP)

Posted on May 21, 2018 by 0x90

While researching on data exfiltration techniques and covert channels, I thought of making one of my own, dubbed ChorTCP. Though protocol over protocol tunneling is a well known concept but I really wanted to actually try to hypothesize one aspect and then implement it, just for fun. The abstract below is taken from the white paper, as is. The main benefit of this technique is that any deep packet inspection firewalls will not be able to see. The traffic will, at most, seem like a malformed traffic.

Introduction

ChorTCP is a covert channel created over TCP protocol. The overall concept revolves around the exfiltration of data without sending any data on the application layer level. This is accomplished by sending specially crafted packets with specific flags enabled — to the server. When packets generated are analyzed — they appear to be either random scans or malformed traffic.

Detailed description

The technique requires two components — a server and a client. The client is used to exfiltrate data and to be sent to the server. To bypass analysis and what data is being exfiltrated — flags are used. The advantage of this technique is that the sending and receiving protocol and the dictionary can be changed thus having many possible iterations of the same exfiltration technique.

The dictionary selected for this technique is the Morse-code cipher dictionary. Which has been modified for the current requirements of the technique. The details of the POC will be described later in this chapter but for now the protocol would be illustrated.

In Mores-code “.” And “-” are represented as short tone and long tone respectively. For sending Morse-code style data on TCP/IP network via the flags subtle changes were required. This would be explained later in the chapter.

Under the hood

The exfiltration protocol works with 4 Flags — [SYN, FIN, PSH, URG]. This technique is versatile and if required the flags can be changed.

The data exfiltration is performed using the SYN and URG flags. The PSH and the FIN flags are used for delimiter purposes. As mentioned earlier that the dictionary used was that of Morse-code and then was changed to fit the current technique. The “.” And “-” was replaced with SYN and URG respectively. Moreover — few other characters were also added. Thus — converting the Morse-code dictionary into:

Any data that the client program encounters — is encoded and then sent to the server on a specific port. The server does not open a socket to listen on the port — but in fact sniffs the traffic for the mutually decided port. The protocol works as follows:

As per the data which is to be exfiltrated each character is converted into code of SYN and URG. Which means that the character ‘r’ in the word root is converted to ‘SSSUUSU’ which would send SYN packets 3 times and then send 2 URG packets and then a SYN and an URG. The server on the other end would convert the incoming SYN and URG into ‘r’.

The protocol explained:

The protocol for a non-NAT environment is illustrated below [Implemented in the POC]:

Client —|SYN|—> Server

Client —|URG|—> Server

Client —|SYN|—> Server

Client —|URG|—> Server

Client —|FIN|—> Server

This packet tells the server that end of letter has reached

Server —|PSH|—> Client

The Server responds with acknowledgement by sending a PSH packet

Client —|SYN|—> Server

The client resumes the next character.

Once the word has reached, the client sends a FIN + PSH packet to the server informing for an end of word. This process keeps going until the end of data has reached.

The protocol for the NAT network is illustrated below. It is to note that — this option is yet to be implemented and would not be a part of the POC.

Client —|SYN|—> Server

Client —|URG|—> Server

Client —|SYN|—> Server

Client —|URG|—> Server

Client —|FIN|—> Server

This packet tells the server that end of letter has reached

Server —|PSH|—> Client

The Server responds with acknowledgement by sending a PSH packet

Client —|SYN|—> Server

The client resumes the next character.

It was observed that, in the environment where the implementation was tested, Network Address Translation for the FIN, PSH and URG packets was not happening. It was tested against TP-Link home wireless router and F-Secure Sense. Thus, the solution of removing the PSH packet from the protocol was hypothesized, this would remove the overhead of the Client waiting for an acknowledgement from the Server.

POC (ChorTCP)

The POC is implemented using Python and Scapy library. The POC would be uploaded soon. The code can be downloaded here…

Way Forward

The SYN based scanner would be implemented on the client side to first detect which ports are accessible outbound from the Target box and once determined — the client would start using that port for exfil. Moreover — as the server would be sniffing traffic on all the ports but when it receives a packet with same source and destination port — it would only start sniffing that port.

This was a very basic concept and has been tested on Non-NAT networks. Though more sophistication, as for example, adding functions to detect if the firewall is blocking the requests etc would be added later on.

Follow @Xc0resecurity

Bypass Online Filter Restriction

Posted on December 25, 2011 by 0x90

Hello again !

Disclaimer: All the material shown on this blog is for educational purposes ! We would not be held responsible for any illegal use of the material by any one !

Usually what happens is that people want to visit a website , which is legit , but some how it is listed in the document given to a naive network administrator and you want to download important stuff from it but what the hell , ITS BLOCKED !!!!!!!! Your boss , teacher or any person whom you report to , doesn’t want hear stuff about BLOCKED SITES !! Its totally lame to them because they want results and you didn’t deliver. This is a very normal problem faced by many employees , students , etc.

First of all you would have to know a little about “Tunnel” . For that please check out my post about Tunneling because your concept of how tunneling works should be very clear. Today I would tell you how one can bypass these filters.

Tor stands for The Onion Router. This was at first created by the US Naval Research Laboratory a long time ago but then was handed over to the people for commercial use ! Though alot of funding is still coming from the US Govt, and alot of other parties. Which is a pretty good thing because TOR was initially designed for anonymity. The goal was that the users would be anonymous over the internet , thus becoming less of a target for the hackers but back then ” Drive By Malware/Exploits ” were not in mind or yet discovered.

In this blog I would cover the bypassing of filters so anonymity is not the main focus.Ok how it works is that first you goto the link and download the Vidalia Bundle . Then once downloaded, install the software and all its components.

After installation run the Vidalia executable. Wait for its icon on the tray of the taskbar, to the right, to become Green. Once that is done , goto the browser’s network option and add following values in the coinciding variables fields :

Proxy Address : 127.0.0.1

Proxy Port : 8118

Ok now save the settings and get out of the options/settings by clicking on OK !

Now your good to go ! To check whether the proxy is working or not goto : What is my IP (dot) com and see your IP Address. For cross checking whether the proxy is working or not , before adding the proxy settings to your browser goto the above mentioned website and note your IP Address and then compare it with the latter!

Enjoy ! If for instance your ISP or Administrator is smart enough to some how block the tor network, goto the TOR control panel and the click the settings button and then goto the netwok tab, it would be something like this :

If you use a proxy to access the internet , usually which is the case in Universities and Offices so this is the option to give proxy to TOR:

There are a few other techniques you could use to bypass the filters , but this one is by far the best.

Peace.
Follow @Xc0resecurity

Food for thought !!

Posted on April 23, 2010 by 0x90

Hey every body !! Its been along time i posted on my blog ! I recently had an interview with some security managers of a Multi National Company ! We discussed about alot of Network Security Issues ! Although my mind was kinda rusted because i have lately been working on Web Application vulnerabilities and bypass etc ! i was asked a few questions regarding IDS bypass ! That how it can be done ! and also questions about how to secure the internal network from browser exploits and web worms.And another problem to manage thousands of computers on a remote home/corporate network.

Well there were many solutions. We discussed some of them there but then it kept me thinking. So i came up with a solution.

Back in 2007 i was working with SUNray Thin Clients !! As you can see in the picture below ! What it does is exactly what dumb terminals used to do !They get booted from a remote server and every thing is loaded from that server. The problem was the remote management of 1000s of computers accross the country ! Now with this one can easily boot remote sunray clients through Satellite , from the central server at a central location.

Now the issues that could arise are that sunray thin clients are not a very good solution in some situations , that is if some one wants to use USB or some Director level dude wants to have full controll over which applications he/she has access to , is very difficult ! And then this solution fails. But normally it is the best solution for remote management of computers.

The second problem was IDS bypass ! Well that is pretty simple , what IDS/IDP Systems do is , that it scans the payload on the application layer level to check for anomaly or checks against a DB with signatures and also has many other ways to detect. But I am going to look at the Application Layer level portion of the above sentence. Well to bypass it one can easily encrypt the payload ! Now it can be stopped by checking the destination port and that can also be changed !

The third one was to check n mitigate web browser attacks well the solution for that is Websense module for different Hardware firewalls and proxies , which scans the webtraffic for malicious traffic. 😉 ! Feel free to comment , if there are more solutions for the problems !

Stay safe 🙂

Web Application firewall bypass !

Posted on July 6, 2009 by 0x90

security

Web Application security is very important nowadays ! especially due to ecommerce. Hence Web Application firewalls came into being ! which automatically filter out the malicious query string. And many high end technology giants have them installed !

But what IF ???!!!

Some one bypasses the WAF (Web Application Firewalls) , and because of the WAF, the programmers dont give much thought to filer or properly sanitize the input ! And once by passed then its all good for the attacker !

Detecting WAF !

WAFs can easily be detected by the response one gets in the http request ! For instance some WAFs give off wierd response codes ! such as 901 ! Some give 40x errors even thought he file exists ! Some drop the packets through FIN/RST ! so if the response is analysed one can easily determine whether the firewall is there or not or of which vendor it belongs to !

Bypassing WAF !

Encoding the input into hex or Unicode !
One can split their input strings using & and can easily bypass the WAF ! (esp the attack used for Modsecurity WAF)
Even WAF have vulnerabilities such as XSS ! Thus can be easily by passed !

To conclude one can say that due to the premade rules of the WAFs it becomes predictable and very easy to bypass !

How tunneling softwares compromise internal security

Posted on March 16, 2009 by 0x90

tunnel First off let me explain what tunneling really is ? Well to make it simple i wont go into technical details but would say that for example you take a LAYS chips packet and put some thing in side it , that you are usually not allowed to send and you seal it back and send it through mail. Now the mail check post will check that its a Lays Chips packet and forward it and when it reaches your frnd ,he just unwraps it and gets the other wise forbidden object.

Now a little technical stuff ! Usually what local tunneling softwares use is HTTPs tunneling . that is , HTTPS is used as the Lays Chips packet and the data you want to tunnel is inside the https wrapped packet.

Usually the network design is such that before the gateway firewall there is usually a proxy server. And in a firewall policy table a proxy has more rights then the normal employee. That is it is allowed to access the internet with full rights and access any remote port where as a normal employee has to go through the proxy to access the internet and for him/her there are further checks at the proxy . for example

A) Employee —-(direct external nw access not allowed)—-> X [Firewall] X

B) Employee —– > [Proxy] ——- > [Firewall] ===>(Allowed)

In case of (B) the proxy has checks on orkut.com , youtube.com etc… so the employee cant access these websites. And Msn messenger / Yahoo messenger are blocked by the firewall.

Now that was the scenario. Now i will tell you people how it can be bypassed easily:

You download a software for instance . It has a live server which it connects to using HTTPS or port 443 ! and you can even give the Proxy ip address that you are using. Now its so simple it sends the packet to the proxy that it wants to connect to port 443 of the live server now the innocent proxy server forwards the request to that server through the firewall thus once connected , one can send any data out by just feeding it to hopster!

Usually in softwares like msn messenger , yahoo messenger etc ask you to give local proxy address and you just have to give your local hosts ip address or 127.0.0.1 and the software’s port number and you are good to go !

Solution:

The Network Administrator should install such softwares to check the remote servers they connect to and block the ips on the proxy and at the firewall end. And usually there is one server with single live ip address so once blocked it cannot connect.