SlideShare a Scribd company logo

XFLTReaT: a new dimension in tunnelling

B
Balazs Bucsay

XFLTReaT presentation from BruCON 0x09 2017 https://www.youtube.com/watch?v=0hnxgu8lkfc This presentation will sum up how to do tunnelling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunnelling on your network or to bypass misconfigured filters. Our new tool XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter. It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customised on all traffic and it is also worth mentioning that the framework was designed to be easy to configure, use and develop. In case there is a need to send packets over ICMP type 0 or HTTPS TLS v1.2 with a special header, then this can be done in a matter of minutes, instead of developing a new tool from scratch. The potential use (or abuse) cases are plentiful, such as bypassing network restrictions of an ISP, the proxy of a workplace or obtaining Internet connectivity through bypassing captive portals in the middle of the Atlantic Ocean or at an altitude of 33000ft on an airplane. This framework is not just a tool; it unites different technologies in the field of tunnelling. While we needed to use different tunnels and VPNs for different protocols in the past like OpenVPN for TCP and UDP, ptunnel for ICMP or iodined for DNS tunnelling, it changes now. After taking a look at these tools it was easy to see some commonality, all of them are doing the same things only the means of communication are different. We simplified the whole process and created a framework that is responsible for everything but the communication itself, we rethought the old way of tunnelling and tried to give something new to the community. After the initial setup the framework takes care of everything. With the check functionality we can even find out, which module can be used on the network, there is no need for any low-level packet fu and hassle. I guarantee that you won’t be disappointed with the tool and the talk, actually you will be richer with an open-source tool.

Software
1 of 46
Download to read offline
XFLTReaT: a new dimension in tunnelling Balazs Bucsay / @xoreipeip Senior Security Consultant @ NCC Group
Bio / Balazs Bucsay •  Hungarian hacker •  Senior Security Consultant @ NCC Group •  Strictly technical certificates: OSCE, OSCP, OSWP, GIAC GPEN, CREST CCT/2 •  Lots of experience in offensive security •  Started with ring0 debuggers and disassemblers in 2000 (13 years old) •  Major projects: •  GI John (2009) – Hacktivity •  Chw00t (2015) – PHDays, DeepSec, Hacktivity •  XFLTReaT (2017) – BruCON, HITB GSEC, Shakacon •  Twitter: @xoreipeip •  Linkedin: https://www.linkedin.com/in/bucsayb
Presentations •  Talks around the world: •  Singapore (SG) / Hack in the Box GSEC •  Honolulu (HI) / Shakacon •  Atlanta (GA) / Hacker Halted •  Moscow (RU) / PHDays •  Oslo (NO) / HackCon •  Vienna (AT) / DeepSec •  Budapest (HU) / Hacktivity •  London (UK) / Inf. Gov. & eDiscovery Summit •  There is some more space here… @xoreipeip
Tunnels
Without a tunnel @xoreipeip
With a tunnel @xoreipeip
Why would one use tunnels? •  Work VPN – to access the corporate internal network •  Hide real IP address •  Whistle-blowers/Journalists to communicate anonymously •  Torrent •  ISPs filtering some ports (secure IMAP, SMTPS, NetBIOS, …) •  Bypass corporate proxy policy •  Bypass captive portals!? •  What about you? @xoreipeip
Have you done … tunnelling? Protocol Tool TCP @xoreipeip
Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP @xoreipeip
Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP @xoreipeip
Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP Hans Ping Tunnel ICMPTx DNS @xoreipeip
Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP Hans Ping Tunnel ICMPTx DNS iodine DNSCat* Ozymandns HTTP CONNECT Proxifier OpenVPN Pure HTTP ? TLS v1.2 ? TLS v1.2 with Kerberos auth ? @xoreipeip
Oh no! I forgot to set up my OpenVPN on port 443 (Port TCP/443 unfiltered) Two days on a ferry
10 hour flight to Japan (ICMP unfiltered)
At the airport (DNS unfiltered)
What did I see? Get tired of: •  As many protocols as many solutions •  Hard to modify the existing ones •  No modularity •  Portability issues •  Configuration issues •  Unsupported/EoL tools •  No automation at all •  It is just hard, but it does not have to be! @xoreipeip
XFLTReaT The beast was born!
Tunnelling theory 101 / MTU @xoreipeip
What is XFLTReaT? XFLTReaT (say exfil-treat or exfiltrate) •  Tunnelling framework •  Open-source •  Python based •  OOP •  Modular •  Multi client •  Plug and Play (at least as easy as it can be) •  Check functionality @xoreipeip
Easy, modular, plug & play •  Install: •  git clone & pip install •  edit config •  run •  Tunnels, encryption, authentication etc. are modular •  Plug and play: •  Copy new module into modules/, support files to support/ •  edit config •  run @xoreipeip
Framework, as it is You do not have to: •  Set up the routing •  Handle multiple users •  Create and set up an interface or interfaces •  Care about encryption, authentication or encoding You only have to: •  Encapsulate your packets into your protocol •  Implement protocol related things @xoreipeip
Check functionality •  Easy way to figure out, which protocol is not filtered on the network •  Automated approach: No deep knowledge is needed •  Client sends a challenge over the selected (or all) modules to the server •  If the server responses with the solution: •  We know that the server is up and running •  The specific module/protocol is working over the network •  Connection can be made @xoreipeip
One interface to rule them all @xoreipeip
Channels •  There are two channels in every tunnel •  Data: data transmission •  Control: control messages •  Check message/response •  Authentication related messages •  Logoff message •  Dummy message for keep-alive and query request •  Auto-tune messages •  etc. @xoreipeip
Ease of development
Module tree @xoreipeip
Ease of use/development •  Only web traffic allowed? @xoreipeip
Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? @xoreipeip
Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? @xoreipeip
Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? Set the header in source •  HTTPS allowed but only with TLS v1.2? @xoreipeip
Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? Set the header in source •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  Special authentication over HTTP proxy? @xoreipeip
Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? Set the header in source •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  Special authentication over HTTP proxy? Implement the auth, change the config •  Want to send data over text/SMS? @xoreipeip
Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? Set the header in source •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  Special authentication over HTTP proxy? Implement the auth, change the config •  Want to send data over text/SMS? Handle connection with your phone from a module •  PROTIP: just use the source! @xoreipeip
SCTP + WebSocket •  SCTP module created and submitted by @info_dox •  Best example of how easy to create a standard tunnel •  Please use the next-version branch for developing •  Create issues •  WebSocket module added •  Created a new tunnel in 3-4 hours •  Ideal for proxies if WebSocket is supported •  What is your next module? @xoreipeip
DEMO
A few technical details •  TCP is pretty easy •  New connection/new thread for all users •  UDP introduced new challenges •  Stateless - One socket for all users •  Sender address needs to be checked •  ICMP •  Just like UDP it is stateless as well •  Identifier and sequence tracking (for NAT/Firewalls) •  As many request as many answers @xoreipeip
DNS module @xoreipeip •  The DNS module is not 100% yet •  Zonefile support included •  Supports A/CNAME, PRIVATE and NULL records (easily extendable) •  Tested with Bind9 •  Auto tune functionality checks: •  Which is the best encoding and length for upstream •  Which is the best encoding, length and record type down downstream •  Example: NULL record with no encoding with 300bytes downstream
Why tunnelling can’t be done over A record @xoreipeip •  Question of all time! •  A request with CNAME answer is possible •  A request with A answer is not •  A / AAAA records can have 4/16 bytes long payload •  Simple TCP ACK packet is 66 bytes •  This means 17 DNS packets / ACK •  338 packets for a full size TCP packet (with MTU set 1350)
Offense •  Bypass basic obstacles •  Specific ports are unfiltered (TCP / UDP) •  DNS allowed •  ICMP allowed •  Bypass not that basic obstacles •  Specific protocol allowed (IPS or any other active device in place) •  Special authentication required •  Exfiltrate information from internal networks •  Get unfiltered internet access @xoreipeip
Defense for companies Check your network settings •  Check functionality •  Try to exfiltrate data – check whether your active network device can catch it Captive portals •  Drop all packets that are addressed to external until not authenticated •  All DNS query should have the same response (the portal) @xoreipeip
Defense for companies No solution is 100% secure •  Do not route your network to the internet •  Disable all traffic between the internet and internal network •  Use HTTP Proxy and enforce it •  Whitelist ports (80 and 443, would you need anything else?) •  Blacklist websites (does not really help on XFLTReaT) •  DNS •  Filter external DNS queries if possible (let HTTP proxy do the resolving) @xoreipeip
Defense for companies No solution is 100% secure •  Do you have an inventory? (IP, owner, purpose, location) •  Do baselining (Use Netflow or Bro) •  Check relation between IPs •  What are the top talker source IPs (bytes, packets, flows)? •  What are the top destination IPs (bytes, packets, flows)? •  Any unusual activity should generate an alert/be blocked when you are done @xoreipeip
Already released @xoreipeip http://xfltreat.info https://github.com/earthquake/XFLTReaT
TODO @xoreipeip •  Commenting •  Bug fixes •  Authentication + encryption modules •  Multi OS support •  New modules •  You can help if you would like! (use next-version branch)
Q&A - Thank you for your attention Balazs Bucsay / @xoreipeip
Office Locations Europe Manchester - Head Office Amsterdam Basingstoke Cambridge Copenhagen Cheltenham Delft Edinburgh Glasgow The Hague Leatherhead Leeds London Madrid Malmö Milton Keynes Munich Vilnius Zurich North America Atlanta, GA Austin, TX Boston, MA Campbell, CA Chicago, IL Kitchener, ON New York, NY San Francisco, CA Seattle, WA Sunnyvale, CA Toronto, ON Asia-Pacific Singapore Sydney Middle East Dubai

Recommended

Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)Balazs Bucsay
 
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)Balazs Bucsay
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)Balazs Bucsay
 
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnelhacktivity
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?hackersuli
 
Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Digital Bond
 
Logstash and friends
Logstash and friendsLogstash and friends
Logstash and friendsJulien Pivotto
 

Recommended

Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)Balazs Bucsay
 
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)Balazs Bucsay
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)Balazs Bucsay
 
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnelhacktivity
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?hackersuli
 
Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Digital Bond
 
Logstash and friends
Logstash and friendsLogstash and friends
Logstash and friendsJulien Pivotto
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
Salt at school
Salt at schoolSalt at school
Salt at schoolFlavio Castelli
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Vinci Rufus
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat opensslJean-Frederic Clere
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat opensslJean-Frederic Clere
 
Pushing a camel through the eye of a needle
Pushing a camel through the eye of a needlePushing a camel through the eye of a needle
Pushing a camel through the eye of a needleSensePost
 
rsyslog meets docker
rsyslog meets dockerrsyslog meets docker
rsyslog meets dockerRainer Gerhards
 
Network scanning
Network scanningNetwork scanning
Network scanningMD SAQUIB KHAN
 
Tomcat next
Tomcat nextTomcat next
Tomcat nextJean-Frederic Clere
 
Cluster your MicroProfile Application using CDI and JCache
Cluster your MicroProfile Application using CDI and JCacheCluster your MicroProfile Application using CDI and JCache
Cluster your MicroProfile Application using CDI and JCacheRoberto Cortez
 
Lifecycle Management with Foreman
Lifecycle Management with ForemanLifecycle Management with Foreman
Lifecycle Management with ForemanJulien Pivotto
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
Postgresql 9.0 HA at LOADAYS 2012
Postgresql 9.0 HA at LOADAYS 2012Postgresql 9.0 HA at LOADAYS 2012
Postgresql 9.0 HA at LOADAYS 2012Julien Pivotto
 
OSMC 2021 | Monitoring Open Source Hardware
OSMC 2021 | Monitoring Open Source HardwareOSMC 2021 | Monitoring Open Source Hardware
OSMC 2021 | Monitoring Open Source HardwareNETWAYS
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheelsinfodox
 
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookSREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookAngelo Failla
 
Experiences with Microservices at Tuenti
Experiences with Microservices at TuentiExperiences with Microservices at Tuenti
Experiences with Microservices at TuentiAndrés Viedma Peláez
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 
What's up with HTTP?
What's up with HTTP?What's up with HTTP?
What's up with HTTP?Mark Nottingham
 
Messaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkMessaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkTomas Doran
 

More Related Content

What's hot

XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Vinci Rufus
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Pushing a camel through the eye of a needle
Pushing a camel through the eye of a needlePushing a camel through the eye of a needle
Pushing a camel through the eye of a needleSensePost
 
Cluster your MicroProfile Application using CDI and JCache
Cluster your MicroProfile Application using CDI and JCacheCluster your MicroProfile Application using CDI and JCache
Cluster your MicroProfile Application using CDI and JCacheRoberto Cortez
 
Lifecycle Management with Foreman
Lifecycle Management with ForemanLifecycle Management with Foreman
Lifecycle Management with ForemanJulien Pivotto
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
Postgresql 9.0 HA at LOADAYS 2012
Postgresql 9.0 HA at LOADAYS 2012Postgresql 9.0 HA at LOADAYS 2012
Postgresql 9.0 HA at LOADAYS 2012Julien Pivotto
 
OSMC 2021 | Monitoring Open Source Hardware
OSMC 2021 | Monitoring Open Source HardwareOSMC 2021 | Monitoring Open Source Hardware
OSMC 2021 | Monitoring Open Source HardwareNETWAYS
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheelsinfodox
 
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookSREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookAngelo Failla
 
Experiences with Microservices at Tuenti
Experiences with Microservices at TuentiExperiences with Microservices at Tuenti
Experiences with Microservices at TuentiAndrés Viedma Peláez
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 

What's hot (20)

XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
Salt at school
Salt at schoolSalt at school
Salt at school
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
 
Pushing a camel through the eye of a needle
Pushing a camel through the eye of a needlePushing a camel through the eye of a needle
Pushing a camel through the eye of a needle
 
rsyslog meets docker
rsyslog meets dockerrsyslog meets docker
rsyslog meets docker
 
Network scanning
Network scanningNetwork scanning
Network scanning
 
Tomcat next
Tomcat nextTomcat next
Tomcat next
 
Cluster your MicroProfile Application using CDI and JCache
Cluster your MicroProfile Application using CDI and JCacheCluster your MicroProfile Application using CDI and JCache
Cluster your MicroProfile Application using CDI and JCache
 
Lifecycle Management with Foreman
Lifecycle Management with ForemanLifecycle Management with Foreman
Lifecycle Management with Foreman
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
 
Postgresql 9.0 HA at LOADAYS 2012
Postgresql 9.0 HA at LOADAYS 2012Postgresql 9.0 HA at LOADAYS 2012
Postgresql 9.0 HA at LOADAYS 2012
 
OSMC 2021 | Monitoring Open Source Hardware
OSMC 2021 | Monitoring Open Source HardwareOSMC 2021 | Monitoring Open Source Hardware
OSMC 2021 | Monitoring Open Source Hardware
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
 
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookSREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
 
Experiences with Microservices at Tuenti
Experiences with Microservices at TuentiExperiences with Microservices at Tuenti
Experiences with Microservices at Tuenti
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
 

Similar to XFLTReaT: a new dimension in tunnelling

Messaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkMessaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkTomas Doran
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testingTomas Doran
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testingTomas Doran
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to knowGökhan Şengün
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
 
EKON27-FrameworksTuning.pdf
EKON27-FrameworksTuning.pdfEKON27-FrameworksTuning.pdf
EKON27-FrameworksTuning.pdfArnaud Bouchez
 
WHIP WebRTC Broadcasting @ FOSDEM 2022
WHIP WebRTC Broadcasting @ FOSDEM 2022WHIP WebRTC Broadcasting @ FOSDEM 2022
WHIP WebRTC Broadcasting @ FOSDEM 2022Lorenzo Miniero
 
CPAN Gems From The Far East
CPAN Gems From The Far EastCPAN Gems From The Far East
CPAN Gems From The Far Eastlestrrat
 
Php internal architecture
Php internal architecturePhp internal architecture
Php internal architectureElizabeth Smith
 
Resumable File Upload API using GridFS and TUS
Resumable File Upload API using GridFS and TUSResumable File Upload API using GridFS and TUS
Resumable File Upload API using GridFS and TUSkhangtoh
 
Real time system_performance_mon
Real time system_performance_monReal time system_performance_mon
Real time system_performance_monTomas Doran
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Alec Muffett
 
Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019Lorenzo Miniero
 
From Device to Data Center to Insights: Architectural Considerations for the ...
From Device to Data Center to Insights: Architectural Considerations for the ...From Device to Data Center to Insights: Architectural Considerations for the ...
From Device to Data Center to Insights: Architectural Considerations for the ...P. Taylor Goetz
 

Similar to XFLTReaT: a new dimension in tunnelling (20)

What's up with HTTP?
What's up with HTTP?What's up with HTTP?
What's up with HTTP?
 
Messaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkMessaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new framework
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
SPDY and HTTP/2
SPDY and HTTP/2SPDY and HTTP/2
SPDY and HTTP/2
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testing
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testing
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to know
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 
EKON27-FrameworksTuning.pdf
EKON27-FrameworksTuning.pdfEKON27-FrameworksTuning.pdf
EKON27-FrameworksTuning.pdf
 
HTTP/2 in Examples
HTTP/2 in ExamplesHTTP/2 in Examples
HTTP/2 in Examples
 
WHIP WebRTC Broadcasting @ FOSDEM 2022
WHIP WebRTC Broadcasting @ FOSDEM 2022WHIP WebRTC Broadcasting @ FOSDEM 2022
WHIP WebRTC Broadcasting @ FOSDEM 2022
 
CPAN Gems From The Far East
CPAN Gems From The Far EastCPAN Gems From The Far East
CPAN Gems From The Far East
 
Php internal architecture
Php internal architecturePhp internal architecture
Php internal architecture
 
How do event loops work in Python?
How do event loops work in Python?How do event loops work in Python?
How do event loops work in Python?
 
Resumable File Upload API using GridFS and TUS
Resumable File Upload API using GridFS and TUSResumable File Upload API using GridFS and TUS
Resumable File Upload API using GridFS and TUS
 
Real time system_performance_mon
Real time system_performance_monReal time system_performance_mon
Real time system_performance_mon
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
 
Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019
 
From Device to Data Center to Insights: Architectural Considerations for the ...
From Device to Data Center to Insights: Architectural Considerations for the ...From Device to Data Center to Insights: Architectural Considerations for the ...
From Device to Data Center to Insights: Architectural Considerations for the ...
 
From Device to Data Center to Insights
From Device to Data Center to InsightsFrom Device to Data Center to Insights
From Device to Data Center to Insights
 

Recently uploaded

英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 

Recently uploaded (20)

英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 

XFLTReaT: a new dimension in tunnelling

  • 1. XFLTReaT: a new dimension in tunnelling Balazs Bucsay / @xoreipeip Senior Security Consultant @ NCC Group
  • 2. Bio / Balazs Bucsay •  Hungarian hacker •  Senior Security Consultant @ NCC Group •  Strictly technical certificates: OSCE, OSCP, OSWP, GIAC GPEN, CREST CCT/2 •  Lots of experience in offensive security •  Started with ring0 debuggers and disassemblers in 2000 (13 years old) •  Major projects: •  GI John (2009) – Hacktivity •  Chw00t (2015) – PHDays, DeepSec, Hacktivity •  XFLTReaT (2017) – BruCON, HITB GSEC, Shakacon •  Twitter: @xoreipeip •  Linkedin: https://www.linkedin.com/in/bucsayb
  • 3. Presentations •  Talks around the world: •  Singapore (SG) / Hack in the Box GSEC •  Honolulu (HI) / Shakacon •  Atlanta (GA) / Hacker Halted •  Moscow (RU) / PHDays •  Oslo (NO) / HackCon •  Vienna (AT) / DeepSec •  Budapest (HU) / Hacktivity •  London (UK) / Inf. Gov. & eDiscovery Summit •  There is some more space here… @xoreipeip
  • 7. Why would one use tunnels? •  Work VPN – to access the corporate internal network •  Hide real IP address •  Whistle-blowers/Journalists to communicate anonymously •  Torrent •  ISPs filtering some ports (secure IMAP, SMTPS, NetBIOS, …) •  Bypass corporate proxy policy •  Bypass captive portals!? •  What about you? @xoreipeip
  • 8. Have you done … tunnelling? Protocol Tool TCP @xoreipeip
  • 9. Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP @xoreipeip
  • 10. Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP @xoreipeip
  • 11. Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP Hans Ping Tunnel ICMPTx DNS @xoreipeip
  • 12. Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP Hans Ping Tunnel ICMPTx DNS iodine DNSCat* Ozymandns HTTP CONNECT Proxifier OpenVPN Pure HTTP ? TLS v1.2 ? TLS v1.2 with Kerberos auth ? @xoreipeip
  • 13. Oh no! I forgot to set up my OpenVPN on port 443 (Port TCP/443 unfiltered) Two days on a ferry
  • 14. 10 hour flight to Japan (ICMP unfiltered)
  • 15. At the airport (DNS unfiltered)
  • 16. What did I see? Get tired of: •  As many protocols as many solutions •  Hard to modify the existing ones •  No modularity •  Portability issues •  Configuration issues •  Unsupported/EoL tools •  No automation at all •  It is just hard, but it does not have to be! @xoreipeip
  • 18. Tunnelling theory 101 / MTU @xoreipeip
  • 19. What is XFLTReaT? XFLTReaT (say exfil-treat or exfiltrate) •  Tunnelling framework •  Open-source •  Python based •  OOP •  Modular •  Multi client •  Plug and Play (at least as easy as it can be) •  Check functionality @xoreipeip
  • 20. Easy, modular, plug & play •  Install: •  git clone & pip install •  edit config •  run •  Tunnels, encryption, authentication etc. are modular •  Plug and play: •  Copy new module into modules/, support files to support/ •  edit config •  run @xoreipeip
  • 21. Framework, as it is You do not have to: •  Set up the routing •  Handle multiple users •  Create and set up an interface or interfaces •  Care about encryption, authentication or encoding You only have to: •  Encapsulate your packets into your protocol •  Implement protocol related things @xoreipeip
  • 22. Check functionality •  Easy way to figure out, which protocol is not filtered on the network •  Automated approach: No deep knowledge is needed •  Client sends a challenge over the selected (or all) modules to the server •  If the server responses with the solution: •  We know that the server is up and running •  The specific module/protocol is working over the network •  Connection can be made @xoreipeip
  • 23. One interface to rule them all @xoreipeip
  • 24. Channels •  There are two channels in every tunnel •  Data: data transmission •  Control: control messages •  Check message/response •  Authentication related messages •  Logoff message •  Dummy message for keep-alive and query request •  Auto-tune messages •  etc. @xoreipeip
  • 27. Ease of use/development •  Only web traffic allowed? @xoreipeip
  • 28. Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? @xoreipeip
  • 29. Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? @xoreipeip
  • 30. Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? Set the header in source •  HTTPS allowed but only with TLS v1.2? @xoreipeip
  • 31. Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? Set the header in source •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  Special authentication over HTTP proxy? @xoreipeip
  • 32. Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? Set the header in source •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  Special authentication over HTTP proxy? Implement the auth, change the config •  Want to send data over text/SMS? @xoreipeip
  • 33. Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? Set the header in source •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  Special authentication over HTTP proxy? Implement the auth, change the config •  Want to send data over text/SMS? Handle connection with your phone from a module •  PROTIP: just use the source! @xoreipeip
  • 34. SCTP + WebSocket •  SCTP module created and submitted by @info_dox •  Best example of how easy to create a standard tunnel •  Please use the next-version branch for developing •  Create issues •  WebSocket module added •  Created a new tunnel in 3-4 hours •  Ideal for proxies if WebSocket is supported •  What is your next module? @xoreipeip
  • 35. DEMO
  • 36. A few technical details •  TCP is pretty easy •  New connection/new thread for all users •  UDP introduced new challenges •  Stateless - One socket for all users •  Sender address needs to be checked •  ICMP •  Just like UDP it is stateless as well •  Identifier and sequence tracking (for NAT/Firewalls) •  As many request as many answers @xoreipeip
  • 37. DNS module @xoreipeip •  The DNS module is not 100% yet •  Zonefile support included •  Supports A/CNAME, PRIVATE and NULL records (easily extendable) •  Tested with Bind9 •  Auto tune functionality checks: •  Which is the best encoding and length for upstream •  Which is the best encoding, length and record type down downstream •  Example: NULL record with no encoding with 300bytes downstream
  • 38. Why tunnelling can’t be done over A record @xoreipeip •  Question of all time! •  A request with CNAME answer is possible •  A request with A answer is not •  A / AAAA records can have 4/16 bytes long payload •  Simple TCP ACK packet is 66 bytes •  This means 17 DNS packets / ACK •  338 packets for a full size TCP packet (with MTU set 1350)
  • 39. Offense •  Bypass basic obstacles •  Specific ports are unfiltered (TCP / UDP) •  DNS allowed •  ICMP allowed •  Bypass not that basic obstacles •  Specific protocol allowed (IPS or any other active device in place) •  Special authentication required •  Exfiltrate information from internal networks •  Get unfiltered internet access @xoreipeip
  • 40. Defense for companies Check your network settings •  Check functionality •  Try to exfiltrate data – check whether your active network device can catch it Captive portals •  Drop all packets that are addressed to external until not authenticated •  All DNS query should have the same response (the portal) @xoreipeip
  • 41. Defense for companies No solution is 100% secure •  Do not route your network to the internet •  Disable all traffic between the internet and internal network •  Use HTTP Proxy and enforce it •  Whitelist ports (80 and 443, would you need anything else?) •  Blacklist websites (does not really help on XFLTReaT) •  DNS •  Filter external DNS queries if possible (let HTTP proxy do the resolving) @xoreipeip
  • 42. Defense for companies No solution is 100% secure •  Do you have an inventory? (IP, owner, purpose, location) •  Do baselining (Use Netflow or Bro) •  Check relation between IPs •  What are the top talker source IPs (bytes, packets, flows)? •  What are the top destination IPs (bytes, packets, flows)? •  Any unusual activity should generate an alert/be blocked when you are done @xoreipeip
  • 44. TODO @xoreipeip •  Commenting •  Bug fixes •  Authentication + encryption modules •  Multi OS support •  New modules •  You can help if you would like! (use next-version branch)
  • 45. Q&A - Thank you for your attention Balazs Bucsay / @xoreipeip
  • 46. Office Locations Europe Manchester - Head Office Amsterdam Basingstoke Cambridge Copenhagen Cheltenham Delft Edinburgh Glasgow The Hague Leatherhead Leeds London Madrid Malmö Milton Keynes Munich Vilnius Zurich North America Atlanta, GA Austin, TX Boston, MA Campbell, CA Chicago, IL Kitchener, ON New York, NY San Francisco, CA Seattle, WA Sunnyvale, CA Toronto, ON Asia-Pacific Singapore Sydney Middle East Dubai