2. Who we are
◎Larry Suto - Larry is an independent
security consultant based out of Oakland,
CA. He spends a lot of time researching
using cloud infrastructure for all types of
security testing. He spends some time on
Windows security as well.
Twitter: @larrysuto
2
3. Who we are
◎Jeff Holden – Works at the largest college
system in the united states. CISO by day,
hacker by night. Currently living in an RV
with 3 dogs, 1 wife, and 1 kid.
◎@jeffh
4. Goals
◎Working in AWS, GCE, Azure
◎Automated
○ Set domains, access keys, etc
◎Portable
◎Scriptable
10. What is this Kops thing?
• Takes care of the infrastructure grunt work
• Creates Network
• Creates Base VMs
• Creates load balancer
• Creates Access list
• Supports
• AWS
• GCE
12. External DNS
◎Support all major cloud services
◎ Pod adds and updates DNS entries to
cloud providers DNS
○ Need to use cloud provider specific tool to create
hosted zone
○ Can automate domain registration
12
15. Background
◎Placing Apache mod_rewrite in front of C2 infrastructure has been common
place for many years now
◎Many advances have been made in redirection technology recently driven
by the move to container-based cloud systems such as Kubernetes
◎Adoption of Docker by the red team is common but we have seen little in
the way of container management systems and service mesh technology
which provide sophisticated mechanisms for ingress and egress
manipulation
◎Service mesh technology holds a lot of promise for sophisticated c2
redirection and traffic manipulation and can leverage multiple clouds with
many simultaneous ingress points
◎With Kubernetes its quite straight forward to introduce new redirection
point dynamically
16. Recipes for Containerizing C2
◎Candidates
○ Cobalt Strike
○ Merlin (http/2)
○ Many others (Empire, Faction, silver, Covenant,..)
31. Envoy Proxy
◎It can proxy any TCP protocol.
◎It can do SSL. Either direction.
◎Full support for HTTP/2 and can translate between HTTP/2 and
HTTP/1.1 (either direction).
◎It has good flexibility around discovery and load balancing.
◎It’s a sidecar process, so it’s completely agnostic to you service
implementation language
32. Envoy xDS API
◎Listener Discovery Service (LDS) - an API that allows Envoy to query what
listeners should be exposed on this proxy
◎Route Discovery Service (RDS) - a part of the configuration for listeners that
specifies which routes to use; this is a subset of LDS for when static and
dynamic configuration should be used
◎Cluster Discovery Service (CDS) - an API that allows Envoy to discover what
clusters and respective configuration for each cluster this proxy should have
◎Endpoint Discovery Service (EDS) - a part of the configuration for clusters
that specifies which endpoints to use for a specific cluster; this is a subset of
CDS
◎Secret Discovery Service (SDS) - an API used to distribute certificates
◎Aggregate Discovery Service (ADS) - a serialized stream of all the changes to
the rest of the APIs; you can use this single API to get all of the changes in
order
38. Envoy Based Ingress Controllers
◎Gloo
◎Istio
◎We also will start providing examples for
Traefik as it is a very simple and easy to
deploy edge proxy written in golang.
39. Envoy based Gateways
39
◎Gateway describes a load balancer operating at the
edge of the mesh receiving incoming or outgoing
HTTP/TCP connections.
40. Envoy based Virtual Services
◎A Virtual Service defines a set of traffic routing rules to
apply when a host is addressed. A routing rule defines
matching criteria for traffic of a specific protocol.
◎If the traffic is matched, then it is sent to a named
destination service (or subset/version of it) defined in the
registry.
◎Supports many protocols : http, https, http/2
43. gloo Gateway
◎Installs with Helm:
○ helm repo add gloo https://storage.googleapis.com/solo-public-
helm
○ helm install gloo/gloo --namespace my-namespace
◎Installs with default ports 80 and 443 but this can be
customized with Helm
https://gloo.solo.io/installation/gateway/kubernetes/
◎Or kubectl edit gateway-proxy-v2 -n gloo-system
◎Also can be configured as a pure TCP Proxy
○ https://gloo.solo.io/gloo_routing/tcp_proxy/
47. gloo Multiple TLS VirtualServices with SNI
kubectl create secret tls teamserver2-cert --key tls.key --cert tls.crt --namespace default
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj
"/CN=teamserver2.ccco.net"
glooctl create virtualservice --name teamserver2 --domains teamserver2.ccco.net
glooctl edit virtualservice --name teamserver2 --namespace gloo-system
--ssl-secret-name teamserver2-cert --ssl-secret-namespace default --ssl-sni-domains teamserver2.ccco.net
You will get errors because the upstream listener is serving
https
48. gloo Setting up Client TLS (mTLS)
glooctl edit upstream --name default-teamserver2-server-443 --namespace gloo-
system
--ssl-secret-name teamserver2-upstream-tls --ssl-secret-namespace default
kubectl create secret tls teamserver2-upstream-tls --key key.pem
--cert cert.pem --namespace default
kubectl get upstream -n gloo-system default-teamserver2-server-443 -
o yaml
Create Upstream Secret (or use the one for the gateway)
Update the Upstream with Secret
Dump the Updated Upstream
56. Istio Ingress Private Load Balancer
kubectl get svc istio-ingressgateway -n istio-system -o yaml > private-ingressgateway.yaml
• Add annotation: service.beta.kubernetes.io/aws-load-balancer-internal=“true”
• Change the name to anything: IE from istio-ingressgateway to
private-ingressgateway
• Change the app label to anything: IE istio-ingressgateway to
private-ingressgateway
• Change the istio label to anything: IE ingressgateway to private-
ingressgateway
• Change selector configuration section and update the app and
istio label to match the values you defined in the metadata section
• Remove all the nodePort values from the ports configuration so
new ports can be allocated automatically
58. Exposing Services via Istio-ingeress gateway
◎To expose a service using ingressgateway you have to create at
least 2 objects
○ Gateway
○ Virtual Service
62. StringMatch for HTTP Headers
Field Type Description
exact string (oneof ) exact string match
prefix string (oneof ) prefix-based match
regex string (oneof ) ECMAscript style regex-based match
Case sensitive
63. Istio ingressgateway Tips
◎A selector is used by istio to select the ingressgateway.
This is important when there are multiple
ingressgateways
◎istio uses port naming in some routing logic
◎Port names are of the form protocol-suffix with grpc,
http, http2, https, mongo, redis, tcp, tls or udp as the
protocol.
64. Routing to External Destinations
◎Envoy passthrough to external services
○ On by default
○ global.outboundTrafficPolicy.mode option set to ALLOW_ANY
○ kubectl get configmap istio -n istio-system -o yaml | grep -o "mode:
ALLOW_ANY"
65. Notes on Ingress Capabilities
◎A mesh can have any number of gateways, and multiple different implementations of the
gateway can coexist
◎The Kubernetes Ingress API cannot express the routing needs of Istio. Kubernetes Ingress
looks for a common intersection between different HTTP proxies. It only supports the most
basic of HTTP routing.
◎Kubernetes Ingress itself does not support the TCP protocol. Kubernetes Ingress cannot be
set up to configure an NGINX Ingress Controller for TCP load balancing – requires a special
configmap
◎Istio Gateway has overcome the above shortcomings of Ingress by separating the L4-L6
configuration from the L7 configuration
◎Gateway is only used to configure L4-L6 functions
○ exposed ports, TLS configuration
◎A VirtualService is bound a Gateway in order to control inbound TCP and HTTP traffic
68. TLS Ingress Gateway Non-Passthrough
Create a Kubernetes secret to hold the server’s certificate and private key.
Use kubectl to create the secret istio-ingressgateway-certs in namespace istio-
system . The Istio gateway will load the secret automatically.
create -n istio-system secret tls istio-ingressgateway-certs –key key.pem --cert cert.pem
Create a Gateway and a VirtualService with the desired routing rules
71. Istio TLS Ingress Gateway Multiple Hosts
Create the secret for the additional backend
kubectl create -n istio-system secret tls istio-ingressgateway-teamserver2service-certs --key key.pem --cert .cert.pem
To include a volume mounted from the new created secret, patch the istio-ingressgateway deployment:
patch.json
kubectl -n istio-system patch --type=json deploy istio-ingressgateway -p "$(cat patch.json)"
77. Drone
◎Drone is a modern CI/CD platform built with
containers as first class citizens. Pipelines are
configured using a yaml file that you check-in to your
git repository.
◎Can be deployed as a Docker container to a VM or a
Kubernetes cluster
◎Integrates with git repository and can deploy pipelines
to a Kubernetes cluster
79. Monitoring C2 with Prometheus
◎Open source metrics based monitoring system
◎Can be used to instrument application
◎Applications without instrumentation support can be monitored
using exporters and other legacy methods
○ extract whitebox monitoring data from application logs for collection
in a timeseries database
○ Google mtail
○ Grok Exporter
○ JMX (Cobalt Strike teamserver is a Java application so theoretically it
could be supported)
◎C2 authors and developers can instrument code to provide fine
grained monitoring support
80. Google mtail
◎Can be used to create timeseries data from standard logs
○ https://github.com/google/mtail/blob/master/docs/Programming-
Guide.md
◎Prometheus exporter is available
◎Cobalt Strike teamserver logs are in the Cobalt Strike working
directory:
○ Ie /opt/cobaltstrike/logs
○ Weblogs and beacon session logs are available
◎Use mtail to create counters by matching events in log with
regular expressions
81. Grok Exporter
◎https://github.com/fstab/grok_exporter
◎Can be used to convert arbitrary logs into
Prometheus compatible time series data
◎An example would be the Cobalt Strike
beacon log checkin entry
○ This interval can be collected as a metric to
monitor beacon health
◎Grok Exporter uses same language as