Listen on all interfaces on port 443 (HTTPS).Define rules for specified traffic type (SSH for us).*This will need to be created as it does not exist by default* In our case, it will be used to host the TLS certificates used for our encapsulation, decode incoming traffic, and forward the traffic to another port.ġ) The first step in our configuration is to install the software on the C2 server: ( Sudo apt install stunnel4)Ģ) Set up the configuration file (/etc/stunnel/nf): In short, Stunnel is a tool designed to add TLS encryption to applications that do not speak the protocols natively. Now that we have a means of encapsulating SSH traffic to our C2 server, we need something to receive and decrypt the traffic. What this configuration does, is that for any SSH connection to ‘ pc-tech.pro’ socat will be used to create a TLS tunnel using the site’s certificates for the SSH traffic to be encapsulated in. For our demonstration, we will use our ‘ pc-tech.pro’ domain for C2 (Ubuntu server hosted in Amazon AWS).ġ) Install Socat on implanted/rogue device ( Sudo apt install socat)Ģ) Modify our SSH config file for our user to use Prox圜ommand to establish a tunnel using OpenSSL to our C2 domain using port 443. Since we want to communicate with our C2 server using TLS, we can create this transfer pipe using OpenSSL. Socat is a tool that is used to transfer data between two addresses using a desired protocol. How does this benefit an attacker? Since these protocols encrypt the traffic within them, if we can use SSL/TLS to encapsulate SSH traffic, the SSH traffic would be shielded from detection (unless there is a security device in the middle that can decrypt the SSL/TLS traffic). TLS is the preferred method, as TLS is an updated more secure version of SSL. Any website where you see the lock icon next to the URL is using such encryption to protect your data. HTTPS traffic (encrypted HTTP) uses SSL/TLS (Secure Socket Layer/ Transport Layer Security) encryption to ensure that all communication between the web browser and the web server are safe from a third party seeing what is being transferred. The first step in emulating web traffic, is making our communication speak the same protocol as the normal traffic. Best part is they are free and open source. There are a few tools we can use to make this happen. As the most common outbound traffic is likely web traffic, lets emulate this.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |