SlideShare uma empresa Scribd logo

XFLTReaT: a new dimension in tunnelling

B
Balazs Bucsay

XFLTReaT presentation from BruCON 0x09 2017 https://www.youtube.com/watch?v=0hnxgu8lkfc This presentation will sum up how to do tunnelling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunnelling on your network or to bypass misconfigured filters. Our new tool XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter. It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customised on all traffic and it is also worth mentioning that the framework was designed to be easy to configure, use and develop. In case there is a need to send packets over ICMP type 0 or HTTPS TLS v1.2 with a special header, then this can be done in a matter of minutes, instead of developing a new tool from scratch. The potential use (or abuse) cases are plentiful, such as bypassing network restrictions of an ISP, the proxy of a workplace or obtaining Internet connectivity through bypassing captive portals in the middle of the Atlantic Ocean or at an altitude of 33000ft on an airplane. This framework is not just a tool; it unites different technologies in the field of tunnelling. While we needed to use different tunnels and VPNs for different protocols in the past like OpenVPN for TCP and UDP, ptunnel for ICMP or iodined for DNS tunnelling, it changes now. After taking a look at these tools it was easy to see some commonality, all of them are doing the same things only the means of communication are different. We simplified the whole process and created a framework that is responsible for everything but the communication itself, we rethought the old way of tunnelling and tried to give something new to the community. After the initial setup the framework takes care of everything. With the check functionality we can even find out, which module can be used on the network, there is no need for any low-level packet fu and hassle. I guarantee that you won’t be disappointed with the tool and the talk, actually you will be richer with an open-source tool.

Software
1 de 46
Baixar para ler offline
XFLTReaT: a new dimension in tunnelling Balazs Bucsay / @xoreipeip Senior Security Consultant @ NCC Group
Bio / Balazs Bucsay •  Hungarian hacker •  Senior Security Consultant @ NCC Group •  Strictly technical certificates: OSCE, OSCP, OSWP, GIAC GPEN, CREST CCT/2 •  Lots of experience in offensive security •  Started with ring0 debuggers and disassemblers in 2000 (13 years old) •  Major projects: •  GI John (2009) – Hacktivity •  Chw00t (2015) – PHDays, DeepSec, Hacktivity •  XFLTReaT (2017) – BruCON, HITB GSEC, Shakacon •  Twitter: @xoreipeip •  Linkedin: https://www.linkedin.com/in/bucsayb
Presentations •  Talks around the world: •  Singapore (SG) / Hack in the Box GSEC •  Honolulu (HI) / Shakacon •  Atlanta (GA) / Hacker Halted •  Moscow (RU) / PHDays •  Oslo (NO) / HackCon •  Vienna (AT) / DeepSec •  Budapest (HU) / Hacktivity •  London (UK) / Inf. Gov. & eDiscovery Summit •  There is some more space here… @xoreipeip
Tunnels
Without a tunnel @xoreipeip
With a tunnel @xoreipeip
Why would one use tunnels? •  Work VPN – to access the corporate internal network •  Hide real IP address •  Whistle-blowers/Journalists to communicate anonymously •  Torrent •  ISPs filtering some ports (secure IMAP, SMTPS, NetBIOS, …) •  Bypass corporate proxy policy •  Bypass captive portals!? •  What about you? @xoreipeip
Have you done … tunnelling? Protocol Tool TCP @xoreipeip
Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP @xoreipeip
Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP @xoreipeip
Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP Hans Ping Tunnel ICMPTx DNS @xoreipeip
Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP Hans Ping Tunnel ICMPTx DNS iodine DNSCat* Ozymandns HTTP CONNECT Proxifier OpenVPN Pure HTTP ? TLS v1.2 ? TLS v1.2 with Kerberos auth ? @xoreipeip
Oh no! I forgot to set up my OpenVPN on port 443 (Port TCP/443 unfiltered) Two days on a ferry
10 hour flight to Japan (ICMP unfiltered)
At the airport (DNS unfiltered)
What did I see? Get tired of: •  As many protocols as many solutions •  Hard to modify the existing ones •  No modularity •  Portability issues •  Configuration issues •  Unsupported/EoL tools •  No automation at all •  It is just hard, but it does not have to be! @xoreipeip
XFLTReaT The beast was born!
Tunnelling theory 101 / MTU @xoreipeip
What is XFLTReaT? XFLTReaT (say exfil-treat or exfiltrate) •  Tunnelling framework •  Open-source •  Python based •  OOP •  Modular •  Multi client •  Plug and Play (at least as easy as it can be) •  Check functionality @xoreipeip
Easy, modular, plug & play •  Install: •  git clone & pip install •  edit config •  run •  Tunnels, encryption, authentication etc. are modular •  Plug and play: •  Copy new module into modules/, support files to support/ •  edit config •  run @xoreipeip
Framework, as it is You do not have to: •  Set up the routing •  Handle multiple users •  Create and set up an interface or interfaces •  Care about encryption, authentication or encoding You only have to: •  Encapsulate your packets into your protocol •  Implement protocol related things @xoreipeip
Check functionality •  Easy way to figure out, which protocol is not filtered on the network •  Automated approach: No deep knowledge is needed •  Client sends a challenge over the selected (or all) modules to the server •  If the server responses with the solution: •  We know that the server is up and running •  The specific module/protocol is working over the network •  Connection can be made @xoreipeip
One interface to rule them all @xoreipeip
Channels •  There are two channels in every tunnel •  Data: data transmission •  Control: control messages •  Check message/response •  Authentication related messages •  Logoff message •  Dummy message for keep-alive and query request •  Auto-tune messages •  etc. @xoreipeip
Ease of development
Module tree @xoreipeip
Ease of use/development •  Only web traffic allowed? @xoreipeip
Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? @xoreipeip
Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? @xoreipeip
Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? Set the header in source •  HTTPS allowed but only with TLS v1.2? @xoreipeip
Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? Set the header in source •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  Special authentication over HTTP proxy? @xoreipeip
Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? Set the header in source •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  Special authentication over HTTP proxy? Implement the auth, change the config •  Want to send data over text/SMS? @xoreipeip
Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? Set the header in source •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  Special authentication over HTTP proxy? Implement the auth, change the config •  Want to send data over text/SMS? Handle connection with your phone from a module •  PROTIP: just use the source! @xoreipeip
SCTP + WebSocket •  SCTP module created and submitted by @info_dox •  Best example of how easy to create a standard tunnel •  Please use the next-version branch for developing •  Create issues •  WebSocket module added •  Created a new tunnel in 3-4 hours •  Ideal for proxies if WebSocket is supported •  What is your next module? @xoreipeip
DEMO
A few technical details •  TCP is pretty easy •  New connection/new thread for all users •  UDP introduced new challenges •  Stateless - One socket for all users •  Sender address needs to be checked •  ICMP •  Just like UDP it is stateless as well •  Identifier and sequence tracking (for NAT/Firewalls) •  As many request as many answers @xoreipeip
DNS module @xoreipeip •  The DNS module is not 100% yet •  Zonefile support included •  Supports A/CNAME, PRIVATE and NULL records (easily extendable) •  Tested with Bind9 •  Auto tune functionality checks: •  Which is the best encoding and length for upstream •  Which is the best encoding, length and record type down downstream •  Example: NULL record with no encoding with 300bytes downstream
Why tunnelling can’t be done over A record @xoreipeip •  Question of all time! •  A request with CNAME answer is possible •  A request with A answer is not •  A / AAAA records can have 4/16 bytes long payload •  Simple TCP ACK packet is 66 bytes •  This means 17 DNS packets / ACK •  338 packets for a full size TCP packet (with MTU set 1350)
Offense •  Bypass basic obstacles •  Specific ports are unfiltered (TCP / UDP) •  DNS allowed •  ICMP allowed •  Bypass not that basic obstacles •  Specific protocol allowed (IPS or any other active device in place) •  Special authentication required •  Exfiltrate information from internal networks •  Get unfiltered internet access @xoreipeip
Defense for companies Check your network settings •  Check functionality •  Try to exfiltrate data – check whether your active network device can catch it Captive portals •  Drop all packets that are addressed to external until not authenticated •  All DNS query should have the same response (the portal) @xoreipeip
Defense for companies No solution is 100% secure •  Do not route your network to the internet •  Disable all traffic between the internet and internal network •  Use HTTP Proxy and enforce it •  Whitelist ports (80 and 443, would you need anything else?) •  Blacklist websites (does not really help on XFLTReaT) •  DNS •  Filter external DNS queries if possible (let HTTP proxy do the resolving) @xoreipeip
Defense for companies No solution is 100% secure •  Do you have an inventory? (IP, owner, purpose, location) •  Do baselining (Use Netflow or Bro) •  Check relation between IPs •  What are the top talker source IPs (bytes, packets, flows)? •  What are the top destination IPs (bytes, packets, flows)? •  Any unusual activity should generate an alert/be blocked when you are done @xoreipeip
Already released @xoreipeip http://xfltreat.info https://github.com/earthquake/XFLTReaT
TODO @xoreipeip •  Commenting •  Bug fixes •  Authentication + encryption modules •  Multi OS support •  New modules •  You can help if you would like! (use next-version branch)
Q&A - Thank you for your attention Balazs Bucsay / @xoreipeip
Office Locations Europe Manchester - Head Office Amsterdam Basingstoke Cambridge Copenhagen Cheltenham Delft Edinburgh Glasgow The Hague Leatherhead Leeds London Madrid Malmö Milton Keynes Munich Vilnius Zurich North America Atlanta, GA Austin, TX Boston, MA Campbell, CA Chicago, IL Kitchener, ON New York, NY San Francisco, CA Seattle, WA Sunnyvale, CA Toronto, ON Asia-Pacific Singapore Sydney Middle East Dubai

Recomendados

Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)Balazs Bucsay
 
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)Balazs Bucsay
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)Balazs Bucsay
 
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnelhacktivity
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?hackersuli
 
Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Digital Bond
 
Logstash and friends
Logstash and friendsLogstash and friends
Logstash and friendsJulien Pivotto
 

Recomendados

Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)Balazs Bucsay
 
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)Balazs Bucsay
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)Balazs Bucsay
 
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnelhacktivity
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?hackersuli
 
Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Digital Bond
 
Logstash and friends
Logstash and friendsLogstash and friends
Logstash and friendsJulien Pivotto
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
Salt at school
Salt at schoolSalt at school
Salt at schoolFlavio Castelli
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Vinci Rufus
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat opensslJean-Frederic Clere
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat opensslJean-Frederic Clere
 
Pushing a camel through the eye of a needle
Pushing a camel through the eye of a needlePushing a camel through the eye of a needle
Pushing a camel through the eye of a needleSensePost
 
rsyslog meets docker
rsyslog meets dockerrsyslog meets docker
rsyslog meets dockerRainer Gerhards
 
Network scanning
Network scanningNetwork scanning
Network scanningMD SAQUIB KHAN
 
Tomcat next
Tomcat nextTomcat next
Tomcat nextJean-Frederic Clere
 
Cluster your MicroProfile Application using CDI and JCache
Cluster your MicroProfile Application using CDI and JCacheCluster your MicroProfile Application using CDI and JCache
Cluster your MicroProfile Application using CDI and JCacheRoberto Cortez
 
Lifecycle Management with Foreman
Lifecycle Management with ForemanLifecycle Management with Foreman
Lifecycle Management with ForemanJulien Pivotto
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
Postgresql 9.0 HA at LOADAYS 2012
Postgresql 9.0 HA at LOADAYS 2012Postgresql 9.0 HA at LOADAYS 2012
Postgresql 9.0 HA at LOADAYS 2012Julien Pivotto
 
OSMC 2021 | Monitoring Open Source Hardware
OSMC 2021 | Monitoring Open Source HardwareOSMC 2021 | Monitoring Open Source Hardware
OSMC 2021 | Monitoring Open Source HardwareNETWAYS
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheelsinfodox
 
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookSREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookAngelo Failla
 
Experiences with Microservices at Tuenti
Experiences with Microservices at TuentiExperiences with Microservices at Tuenti
Experiences with Microservices at TuentiAndrés Viedma Peláez
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 
What's up with HTTP?
What's up with HTTP?What's up with HTTP?
What's up with HTTP?Mark Nottingham
 
Messaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkMessaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkTomas Doran
 

Mais conteúdo relacionado

Mais procurados

XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Vinci Rufus
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Pushing a camel through the eye of a needle
Pushing a camel through the eye of a needlePushing a camel through the eye of a needle
Pushing a camel through the eye of a needleSensePost
 
Cluster your MicroProfile Application using CDI and JCache
Cluster your MicroProfile Application using CDI and JCacheCluster your MicroProfile Application using CDI and JCache
Cluster your MicroProfile Application using CDI and JCacheRoberto Cortez
 
Lifecycle Management with Foreman
Lifecycle Management with ForemanLifecycle Management with Foreman
Lifecycle Management with ForemanJulien Pivotto
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
Postgresql 9.0 HA at LOADAYS 2012
Postgresql 9.0 HA at LOADAYS 2012Postgresql 9.0 HA at LOADAYS 2012
Postgresql 9.0 HA at LOADAYS 2012Julien Pivotto
 
OSMC 2021 | Monitoring Open Source Hardware
OSMC 2021 | Monitoring Open Source HardwareOSMC 2021 | Monitoring Open Source Hardware
OSMC 2021 | Monitoring Open Source HardwareNETWAYS
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheelsinfodox
 
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookSREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookAngelo Failla
 
Experiences with Microservices at Tuenti
Experiences with Microservices at TuentiExperiences with Microservices at Tuenti
Experiences with Microservices at TuentiAndrés Viedma Peláez
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 

Mais procurados (20)

XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
Salt at school
Salt at schoolSalt at school
Salt at school
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
 
Pushing a camel through the eye of a needle
Pushing a camel through the eye of a needlePushing a camel through the eye of a needle
Pushing a camel through the eye of a needle
 
rsyslog meets docker
rsyslog meets dockerrsyslog meets docker
rsyslog meets docker
 
Network scanning
Network scanningNetwork scanning
Network scanning
 
Tomcat next
Tomcat nextTomcat next
Tomcat next
 
Cluster your MicroProfile Application using CDI and JCache
Cluster your MicroProfile Application using CDI and JCacheCluster your MicroProfile Application using CDI and JCache
Cluster your MicroProfile Application using CDI and JCache
 
Lifecycle Management with Foreman
Lifecycle Management with ForemanLifecycle Management with Foreman
Lifecycle Management with Foreman
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
 
Postgresql 9.0 HA at LOADAYS 2012
Postgresql 9.0 HA at LOADAYS 2012Postgresql 9.0 HA at LOADAYS 2012
Postgresql 9.0 HA at LOADAYS 2012
 
OSMC 2021 | Monitoring Open Source Hardware
OSMC 2021 | Monitoring Open Source HardwareOSMC 2021 | Monitoring Open Source Hardware
OSMC 2021 | Monitoring Open Source Hardware
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
 
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookSREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
 
Experiences with Microservices at Tuenti
Experiences with Microservices at TuentiExperiences with Microservices at Tuenti
Experiences with Microservices at Tuenti
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
 

Semelhante a XFLTReaT: a new dimension in tunnelling

Messaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkMessaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkTomas Doran
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testingTomas Doran
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testingTomas Doran
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to knowGökhan Şengün
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
 
EKON27-FrameworksTuning.pdf
EKON27-FrameworksTuning.pdfEKON27-FrameworksTuning.pdf
EKON27-FrameworksTuning.pdfArnaud Bouchez
 
WHIP WebRTC Broadcasting @ FOSDEM 2022
WHIP WebRTC Broadcasting @ FOSDEM 2022WHIP WebRTC Broadcasting @ FOSDEM 2022
WHIP WebRTC Broadcasting @ FOSDEM 2022Lorenzo Miniero
 
CPAN Gems From The Far East
CPAN Gems From The Far EastCPAN Gems From The Far East
CPAN Gems From The Far Eastlestrrat
 
Php internal architecture
Php internal architecturePhp internal architecture
Php internal architectureElizabeth Smith
 
Resumable File Upload API using GridFS and TUS
Resumable File Upload API using GridFS and TUSResumable File Upload API using GridFS and TUS
Resumable File Upload API using GridFS and TUSkhangtoh
 
Real time system_performance_mon
Real time system_performance_monReal time system_performance_mon
Real time system_performance_monTomas Doran
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Alec Muffett
 
Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019Lorenzo Miniero
 
From Device to Data Center to Insights: Architectural Considerations for the ...
From Device to Data Center to Insights: Architectural Considerations for the ...From Device to Data Center to Insights: Architectural Considerations for the ...
From Device to Data Center to Insights: Architectural Considerations for the ...P. Taylor Goetz
 

Semelhante a XFLTReaT: a new dimension in tunnelling (20)

What's up with HTTP?
What's up with HTTP?What's up with HTTP?
What's up with HTTP?
 
Messaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkMessaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new framework
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
SPDY and HTTP/2
SPDY and HTTP/2SPDY and HTTP/2
SPDY and HTTP/2
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testing
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testing
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to know
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 
EKON27-FrameworksTuning.pdf
EKON27-FrameworksTuning.pdfEKON27-FrameworksTuning.pdf
EKON27-FrameworksTuning.pdf
 
HTTP/2 in Examples
HTTP/2 in ExamplesHTTP/2 in Examples
HTTP/2 in Examples
 
WHIP WebRTC Broadcasting @ FOSDEM 2022
WHIP WebRTC Broadcasting @ FOSDEM 2022WHIP WebRTC Broadcasting @ FOSDEM 2022
WHIP WebRTC Broadcasting @ FOSDEM 2022
 
CPAN Gems From The Far East
CPAN Gems From The Far EastCPAN Gems From The Far East
CPAN Gems From The Far East
 
Php internal architecture
Php internal architecturePhp internal architecture
Php internal architecture
 
How do event loops work in Python?
How do event loops work in Python?How do event loops work in Python?
How do event loops work in Python?
 
Resumable File Upload API using GridFS and TUS
Resumable File Upload API using GridFS and TUSResumable File Upload API using GridFS and TUS
Resumable File Upload API using GridFS and TUS
 
Real time system_performance_mon
Real time system_performance_monReal time system_performance_mon
Real time system_performance_mon
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
 
Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019
 
From Device to Data Center to Insights: Architectural Considerations for the ...
From Device to Data Center to Insights: Architectural Considerations for the ...From Device to Data Center to Insights: Architectural Considerations for the ...
From Device to Data Center to Insights: Architectural Considerations for the ...
 
From Device to Data Center to Insights
From Device to Data Center to InsightsFrom Device to Data Center to Insights
From Device to Data Center to Insights
 

Último

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....ShaimaaMohamedGalal
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 

Último (20)

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 

XFLTReaT: a new dimension in tunnelling

  • 1. XFLTReaT: a new dimension in tunnelling Balazs Bucsay / @xoreipeip Senior Security Consultant @ NCC Group
  • 2. Bio / Balazs Bucsay •  Hungarian hacker •  Senior Security Consultant @ NCC Group •  Strictly technical certificates: OSCE, OSCP, OSWP, GIAC GPEN, CREST CCT/2 •  Lots of experience in offensive security •  Started with ring0 debuggers and disassemblers in 2000 (13 years old) •  Major projects: •  GI John (2009) – Hacktivity •  Chw00t (2015) – PHDays, DeepSec, Hacktivity •  XFLTReaT (2017) – BruCON, HITB GSEC, Shakacon •  Twitter: @xoreipeip •  Linkedin: https://www.linkedin.com/in/bucsayb
  • 3. Presentations •  Talks around the world: •  Singapore (SG) / Hack in the Box GSEC •  Honolulu (HI) / Shakacon •  Atlanta (GA) / Hacker Halted •  Moscow (RU) / PHDays •  Oslo (NO) / HackCon •  Vienna (AT) / DeepSec •  Budapest (HU) / Hacktivity •  London (UK) / Inf. Gov. & eDiscovery Summit •  There is some more space here… @xoreipeip
  • 7. Why would one use tunnels? •  Work VPN – to access the corporate internal network •  Hide real IP address •  Whistle-blowers/Journalists to communicate anonymously •  Torrent •  ISPs filtering some ports (secure IMAP, SMTPS, NetBIOS, …) •  Bypass corporate proxy policy •  Bypass captive portals!? •  What about you? @xoreipeip
  • 8. Have you done … tunnelling? Protocol Tool TCP @xoreipeip
  • 9. Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP @xoreipeip
  • 10. Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP @xoreipeip
  • 11. Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP Hans Ping Tunnel ICMPTx DNS @xoreipeip
  • 12. Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP Hans Ping Tunnel ICMPTx DNS iodine DNSCat* Ozymandns HTTP CONNECT Proxifier OpenVPN Pure HTTP ? TLS v1.2 ? TLS v1.2 with Kerberos auth ? @xoreipeip
  • 13. Oh no! I forgot to set up my OpenVPN on port 443 (Port TCP/443 unfiltered) Two days on a ferry
  • 14. 10 hour flight to Japan (ICMP unfiltered)
  • 15. At the airport (DNS unfiltered)
  • 16. What did I see? Get tired of: •  As many protocols as many solutions •  Hard to modify the existing ones •  No modularity •  Portability issues •  Configuration issues •  Unsupported/EoL tools •  No automation at all •  It is just hard, but it does not have to be! @xoreipeip
  • 18. Tunnelling theory 101 / MTU @xoreipeip
  • 19. What is XFLTReaT? XFLTReaT (say exfil-treat or exfiltrate) •  Tunnelling framework •  Open-source •  Python based •  OOP •  Modular •  Multi client •  Plug and Play (at least as easy as it can be) •  Check functionality @xoreipeip
  • 20. Easy, modular, plug & play •  Install: •  git clone & pip install •  edit config •  run •  Tunnels, encryption, authentication etc. are modular •  Plug and play: •  Copy new module into modules/, support files to support/ •  edit config •  run @xoreipeip
  • 21. Framework, as it is You do not have to: •  Set up the routing •  Handle multiple users •  Create and set up an interface or interfaces •  Care about encryption, authentication or encoding You only have to: •  Encapsulate your packets into your protocol •  Implement protocol related things @xoreipeip
  • 22. Check functionality •  Easy way to figure out, which protocol is not filtered on the network •  Automated approach: No deep knowledge is needed •  Client sends a challenge over the selected (or all) modules to the server •  If the server responses with the solution: •  We know that the server is up and running •  The specific module/protocol is working over the network •  Connection can be made @xoreipeip
  • 23. One interface to rule them all @xoreipeip
  • 24. Channels •  There are two channels in every tunnel •  Data: data transmission •  Control: control messages •  Check message/response •  Authentication related messages •  Logoff message •  Dummy message for keep-alive and query request •  Auto-tune messages •  etc. @xoreipeip
  • 27. Ease of use/development •  Only web traffic allowed? @xoreipeip
  • 28. Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? @xoreipeip
  • 29. Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? @xoreipeip
  • 30. Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? Set the header in source •  HTTPS allowed but only with TLS v1.2? @xoreipeip
  • 31. Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? Set the header in source •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  Special authentication over HTTP proxy? @xoreipeip
  • 32. Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? Set the header in source •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  Special authentication over HTTP proxy? Implement the auth, change the config •  Want to send data over text/SMS? @xoreipeip
  • 33. Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type 0 allowed? Copy ICMP module, change type 8 to 0 •  HTTP should work, but only with special header? Set the header in source •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  Special authentication over HTTP proxy? Implement the auth, change the config •  Want to send data over text/SMS? Handle connection with your phone from a module •  PROTIP: just use the source! @xoreipeip
  • 34. SCTP + WebSocket •  SCTP module created and submitted by @info_dox •  Best example of how easy to create a standard tunnel •  Please use the next-version branch for developing •  Create issues •  WebSocket module added •  Created a new tunnel in 3-4 hours •  Ideal for proxies if WebSocket is supported •  What is your next module? @xoreipeip
  • 35. DEMO
  • 36. A few technical details •  TCP is pretty easy •  New connection/new thread for all users •  UDP introduced new challenges •  Stateless - One socket for all users •  Sender address needs to be checked •  ICMP •  Just like UDP it is stateless as well •  Identifier and sequence tracking (for NAT/Firewalls) •  As many request as many answers @xoreipeip
  • 37. DNS module @xoreipeip •  The DNS module is not 100% yet •  Zonefile support included •  Supports A/CNAME, PRIVATE and NULL records (easily extendable) •  Tested with Bind9 •  Auto tune functionality checks: •  Which is the best encoding and length for upstream •  Which is the best encoding, length and record type down downstream •  Example: NULL record with no encoding with 300bytes downstream
  • 38. Why tunnelling can’t be done over A record @xoreipeip •  Question of all time! •  A request with CNAME answer is possible •  A request with A answer is not •  A / AAAA records can have 4/16 bytes long payload •  Simple TCP ACK packet is 66 bytes •  This means 17 DNS packets / ACK •  338 packets for a full size TCP packet (with MTU set 1350)
  • 39. Offense •  Bypass basic obstacles •  Specific ports are unfiltered (TCP / UDP) •  DNS allowed •  ICMP allowed •  Bypass not that basic obstacles •  Specific protocol allowed (IPS or any other active device in place) •  Special authentication required •  Exfiltrate information from internal networks •  Get unfiltered internet access @xoreipeip
  • 40. Defense for companies Check your network settings •  Check functionality •  Try to exfiltrate data – check whether your active network device can catch it Captive portals •  Drop all packets that are addressed to external until not authenticated •  All DNS query should have the same response (the portal) @xoreipeip
  • 41. Defense for companies No solution is 100% secure •  Do not route your network to the internet •  Disable all traffic between the internet and internal network •  Use HTTP Proxy and enforce it •  Whitelist ports (80 and 443, would you need anything else?) •  Blacklist websites (does not really help on XFLTReaT) •  DNS •  Filter external DNS queries if possible (let HTTP proxy do the resolving) @xoreipeip
  • 42. Defense for companies No solution is 100% secure •  Do you have an inventory? (IP, owner, purpose, location) •  Do baselining (Use Netflow or Bro) •  Check relation between IPs •  What are the top talker source IPs (bytes, packets, flows)? •  What are the top destination IPs (bytes, packets, flows)? •  Any unusual activity should generate an alert/be blocked when you are done @xoreipeip
  • 44. TODO @xoreipeip •  Commenting •  Bug fixes •  Authentication + encryption modules •  Multi OS support •  New modules •  You can help if you would like! (use next-version branch)
  • 45. Q&A - Thank you for your attention Balazs Bucsay / @xoreipeip
  • 46. Office Locations Europe Manchester - Head Office Amsterdam Basingstoke Cambridge Copenhagen Cheltenham Delft Edinburgh Glasgow The Hague Leatherhead Leeds London Madrid Malmö Milton Keynes Munich Vilnius Zurich North America Atlanta, GA Austin, TX Boston, MA Campbell, CA Chicago, IL Kitchener, ON New York, NY San Francisco, CA Seattle, WA Sunnyvale, CA Toronto, ON Asia-Pacific Singapore Sydney Middle East Dubai