XFLTReaT presentation from BruCON 0x09 2017
https://www.youtube.com/watch?v=0hnxgu8lkfc
This presentation will sum up how to do tunnelling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.
Our new tool XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter. It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customised on all traffic and it is also worth mentioning that the framework was designed to be easy to configure, use and develop. In case there is a need to send packets over ICMP type 0 or HTTPS TLS v1.2 with a special header, then this can be done in a matter of minutes, instead of developing a new tool from scratch. The potential use (or abuse) cases are plentiful, such as bypassing network restrictions of an ISP, the proxy of a workplace or obtaining Internet connectivity through bypassing captive portals in the middle of the Atlantic Ocean or at an altitude of 33000ft on an airplane.
This framework is not just a tool; it unites different technologies in the field of tunnelling. While we needed to use different tunnels and VPNs for different protocols in the past like OpenVPN for TCP and UDP, ptunnel for ICMP or iodined for DNS tunnelling, it changes now. After taking a look at these tools it was easy to see some commonality, all of them are doing the same things only the means of communication are different. We simplified the whole process and created a framework that is responsible for everything but the communication itself, we rethought the old way of tunnelling and tried to give something new to the community. After the initial setup the framework takes care of everything. With the check functionality we can even find out, which module can be used on the network, there is no need for any low-level packet fu and hassle. I guarantee that you won’t be disappointed with the tool and the talk, actually you will be richer with an open-source tool.
1. XFLTReaT:
a new dimension in tunnelling
Balazs Bucsay / @xoreipeip
Senior Security Consultant @ NCC Group
2. Bio / Balazs Bucsay
• Hungarian hacker
• Senior Security Consultant @ NCC Group
• Strictly technical certificates: OSCE, OSCP, OSWP, GIAC GPEN, CREST CCT/2
• Lots of experience in offensive security
• Started with ring0 debuggers and disassemblers in 2000 (13 years old)
• Major projects:
• GI John (2009) – Hacktivity
• Chw00t (2015) – PHDays, DeepSec, Hacktivity
• XFLTReaT (2017) – BruCON, HITB GSEC, Shakacon
• Twitter: @xoreipeip
• Linkedin: https://www.linkedin.com/in/bucsayb
3. Presentations
• Talks around the world: • Singapore (SG) / Hack in the Box GSEC
• Honolulu (HI) / Shakacon
• Atlanta (GA) / Hacker Halted
• Moscow (RU) / PHDays
• Oslo (NO) / HackCon
• Vienna (AT) / DeepSec
• Budapest (HU) / Hacktivity
• London (UK) / Inf. Gov. & eDiscovery Summit
• There is some more space here…
@xoreipeip
7. Why would one use tunnels?
• Work VPN – to access the corporate internal network
• Hide real IP address
• Whistle-blowers/Journalists to communicate anonymously
• Torrent
• ISPs filtering some ports (secure IMAP, SMTPS, NetBIOS, …)
• Bypass corporate proxy policy
• Bypass captive portals!?
• What about you?
@xoreipeip
8. Have you done … tunnelling?
Protocol Tool
TCP
@xoreipeip
9. Have you done … tunnelling?
Protocol Tool
TCP OpenVPN Cisco AnyConnect
UDP
@xoreipeip
10. Have you done … tunnelling?
Protocol Tool
TCP OpenVPN Cisco AnyConnect
UDP OpenVPN
ICMP
@xoreipeip
11. Have you done … tunnelling?
Protocol Tool
TCP OpenVPN Cisco AnyConnect
UDP OpenVPN
ICMP Hans Ping Tunnel ICMPTx
DNS
@xoreipeip
12. Have you done … tunnelling?
Protocol Tool
TCP OpenVPN Cisco AnyConnect
UDP OpenVPN
ICMP Hans Ping Tunnel ICMPTx
DNS iodine DNSCat* Ozymandns
HTTP CONNECT Proxifier OpenVPN
Pure HTTP ?
TLS v1.2 ?
TLS v1.2 with Kerberos auth ?
@xoreipeip
13. Oh no! I forgot to set up my OpenVPN on port 443
(Port TCP/443 unfiltered)
Two days on a ferry
16. What did I see?
Get tired of:
• As many protocols as many solutions
• Hard to modify the existing ones
• No modularity
• Portability issues
• Configuration issues
• Unsupported/EoL tools
• No automation at all
• It is just hard, but it does not have to be!
@xoreipeip
19. What is XFLTReaT?
XFLTReaT (say exfil-treat or exfiltrate)
• Tunnelling framework
• Open-source
• Python based
• OOP
• Modular
• Multi client
• Plug and Play (at least as easy as it can be)
• Check functionality
@xoreipeip
20. Easy, modular, plug & play
• Install:
• git clone & pip install
• edit config
• run
• Tunnels, encryption, authentication etc. are modular
• Plug and play:
• Copy new module into modules/, support files to support/
• edit config
• run
@xoreipeip
21. Framework, as it is
You do not have to:
• Set up the routing
• Handle multiple users
• Create and set up an interface or interfaces
• Care about encryption, authentication or encoding
You only have to:
• Encapsulate your packets into your protocol
• Implement protocol related things
@xoreipeip
22. Check functionality
• Easy way to figure out, which protocol is not filtered on the network
• Automated approach: No deep knowledge is needed
• Client sends a challenge over the selected (or all) modules to the server
• If the server responses with the solution:
• We know that the server is up and running
• The specific module/protocol is working over the network
• Connection can be made
@xoreipeip
24. Channels
• There are two channels in every tunnel
• Data: data transmission
• Control: control messages
• Check message/response
• Authentication related messages
• Logoff message
• Dummy message for keep-alive and query request
• Auto-tune messages
• etc.
@xoreipeip
28. Ease of use/development
• Only web traffic allowed? Set your server on port TCP/80
• Only ICMP type 0 allowed?
@xoreipeip
29. Ease of use/development
• Only web traffic allowed? Set your server on port TCP/80
• Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0
• HTTP should work, but only with special header?
@xoreipeip
30. Ease of use/development
• Only web traffic allowed? Set your server on port TCP/80
• Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0
• HTTP should work, but only with special header? Set the header in source
• HTTPS allowed but only with TLS v1.2?
@xoreipeip
31. Ease of use/development
• Only web traffic allowed? Set your server on port TCP/80
• Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0
• HTTP should work, but only with special header? Set the header in source
• HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only
• Special authentication over HTTP proxy?
@xoreipeip
32. Ease of use/development
• Only web traffic allowed? Set your server on port TCP/80
• Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0
• HTTP should work, but only with special header? Set the header in source
• HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only
• Special authentication over HTTP proxy? Implement the auth, change the config
• Want to send data over text/SMS?
@xoreipeip
33. Ease of use/development
• Only web traffic allowed? Set your server on port TCP/80
• Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0
• HTTP should work, but only with special header? Set the header in source
• HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only
• Special authentication over HTTP proxy? Implement the auth, change the config
• Want to send data over text/SMS? Handle connection with your phone from a module
• PROTIP: just use the source!
@xoreipeip
34. SCTP + WebSocket
• SCTP module created and submitted by @info_dox
• Best example of how easy to create a standard tunnel
• Please use the next-version branch for developing
• Create issues
• WebSocket module added
• Created a new tunnel in 3-4 hours
• Ideal for proxies if WebSocket is supported
• What is your next module?
@xoreipeip
36. A few technical details
• TCP is pretty easy
• New connection/new thread for all users
• UDP introduced new challenges
• Stateless - One socket for all users
• Sender address needs to be checked
• ICMP
• Just like UDP it is stateless as well
• Identifier and sequence tracking (for NAT/Firewalls)
• As many request as many answers
@xoreipeip
37. DNS module
@xoreipeip
• The DNS module is not 100% yet
• Zonefile support included
• Supports A/CNAME, PRIVATE and NULL records (easily extendable)
• Tested with Bind9
• Auto tune functionality checks:
• Which is the best encoding and length for upstream
• Which is the best encoding, length and record type down downstream
• Example: NULL record with no encoding with 300bytes downstream
38. Why tunnelling can’t be done over A record
@xoreipeip
• Question of all time!
• A request with CNAME answer is possible
• A request with A answer is not
• A / AAAA records can have 4/16 bytes long payload
• Simple TCP ACK packet is 66 bytes
• This means 17 DNS packets / ACK
• 338 packets for a full size TCP packet (with MTU set 1350)
39. Offense
• Bypass basic obstacles
• Specific ports are unfiltered (TCP / UDP)
• DNS allowed
• ICMP allowed
• Bypass not that basic obstacles
• Specific protocol allowed (IPS or any other active device in place)
• Special authentication required
• Exfiltrate information from internal networks
• Get unfiltered internet access
@xoreipeip
40. Defense for companies
Check your network settings
• Check functionality
• Try to exfiltrate data – check whether your active network device can catch it
Captive portals
• Drop all packets that are addressed to external until not authenticated
• All DNS query should have the same response (the portal)
@xoreipeip
41. Defense for companies
No solution is 100% secure
• Do not route your network to the internet
• Disable all traffic between the internet and internal network
• Use HTTP Proxy and enforce it
• Whitelist ports (80 and 443, would you need anything else?)
• Blacklist websites (does not really help on XFLTReaT)
• DNS
• Filter external DNS queries if possible (let HTTP proxy do the resolving)
@xoreipeip
42. Defense for companies
No solution is 100% secure
• Do you have an inventory? (IP, owner, purpose, location)
• Do baselining (Use Netflow or Bro)
• Check relation between IPs
• What are the top talker source IPs (bytes, packets, flows)?
• What are the top destination IPs (bytes, packets, flows)?
• Any unusual activity should generate an alert/be blocked when you are done
@xoreipeip
44. TODO
@xoreipeip
• Commenting
• Bug fixes
• Authentication + encryption modules
• Multi OS support
• New modules
• You can help if you would like! (use next-version branch)
45. Q&A - Thank you for your attention
Balazs Bucsay / @xoreipeip
46. Office Locations
Europe
Manchester - Head Office
Amsterdam
Basingstoke
Cambridge
Copenhagen
Cheltenham
Delft
Edinburgh
Glasgow
The Hague
Leatherhead
Leeds
London
Madrid
Malmö
Milton Keynes
Munich
Vilnius
Zurich
North America
Atlanta, GA
Austin, TX
Boston, MA
Campbell, CA
Chicago, IL
Kitchener, ON
New York, NY
San Francisco, CA
Seattle, WA
Sunnyvale, CA
Toronto, ON
Asia-Pacific
Singapore
Sydney
Middle East
Dubai