Inside-Out Attacks ivan.buetler@csnc.ch Covert Channel Attacks Inside-out Attacks Seite 1
Goals of this presentation! Responses to the following questions! What are inside-out attacks! Who will use this technique?! How can you prevent or mitigate? Covert Channel Attacks Inside-out Attacks Seite 2
Definition Inside-Out attacks try to initiate network connections from the trusted (corporate) to the untrusted (Internet) network. Synonym! Inside-Out Network Subversion! Inside-Out Attack! Covert Channel Attack Covert Channel Attacks Inside-out Attacks Seite 3
Definition Inside-Out Variants 1. Implementing hacker-code within the optional fields of an internet-allowed protocol! DNS tunnel, ICMP tunnel 2. Tunneling hacker-payload within the request and response of an internet allowed protocol! HTTP tunnel, E-Mail tunnel 3. Running other protocols on the desired ports than normally assigned! For example running IRC on port 80 (http) 4. Misusing internet-allowed protocols! Proxy connect method Covert Channel Attacks Inside-out Attacks Seite 4
Definition Covert Channel A Covert channel is a mechanism for sending and receiving information data between machines without alerting any firewalls and IDS s on the network. The technique derives its stealthy nature by virtue of the fact that it sends traffic through ports that most firewalls will permit through. Covert Channel Attacks Inside-out Attacks Seite 5
Direct Inside-Out Attacks! Simple Inside-Out Attack Corporate LAN Internet! Direct Channels! ACK tunnel! TCP tunnel (pop, telnet, ssh)! UDP tunnel (syslog, snmp)! ICMP tunnel! IPSEC, PPTP Covert Channel Attacks Inside-out Attacks Seite 6
Proxified Inside-Out Attacks! Advanced Inside-Out Attack LAN Proxy Corporate LAN Internet DMZ Proxy! Proxified Channels! Socks SSL tunnel! HTTP/S tunnel (payload of http = tunnel)! HTTP/S proxy CONNECT method tunnel! DNS tunnel! FTP tunnel! Mail tunnel Covert Channel Attacks Inside-out Attacks Seite 7
Reverse Shell RAT Remote Administration! Standard Connection (telnet, ssh, etc) Hacker Victim Server! Network Flow (Connectivity)! Data Flow Covert Channel Attacks Inside-out Attacks Seite 8
Reverse Shell RAT Remote Administration! Reverse Shell (Reverse Telnet) Hacker Victim Server! Network Flow (Connectivity)! Data Flow Covert Channel Attacks Inside-out Attacks Seite 9
Remote Control Session! Motivation of a Remote Control Session?! Gaining user credentials. Accessing other systems! Using the compromised host as source for further attacks! Implementing the whole hacker attack into a virus is almost impossible (time, cost)! Who wants to have a remote control?! White-collar crime! Script kiddies Covert Channel Attacks Inside-out Attacks Seite 10
Installation of RAT! Direct Attack! Buffer Overflow, Code Execution Hacker establishes remote access of victim (rat) Inside Out Attack PASSED Arbitrary Webserver Request Hacker controlled host Covert Channel Attacks Inside-out Attacks Seite 11
Installation of RAT! Indirect Attack BLOCKED (port denied) Hacker establishes remote access of victim (rat) Inside Out Attack (port allowed) Hacker controlled host Covert Channel Attacks Inside-out Attacks Seite 12
Installation of RAT! Indirect Attacks! E-Mail (Attachments, HTML social engineering)! Webdownload! CDROM! ZIP! USB-Stick BLOCKED Inside Out Attack! Execution by! Manual! Client vulnerabilities! Autostart cdrom Hacker controlled host Covert Channel Attacks Inside-out Attacks Seite 13
Reverse Shell Netcat DNS SSH HTTPS SSL conenct! Top6 Covert Channel Attacks! Netcat! DNS tunnel! SSH reverse tunnel! HTTP/S tunnel! HTTPS proxy CONNECT method tunnel! ICMP tunnel ICMP Covert Channel Attacks Inside-out Attacks Seite 14
RAT Netcat! Netcat DNS SSH HTTPS SSL conenct ICMP Covert Channel Attacks Inside-out Attacks Seite 15
Data General Data General RAT Netcat! Covert Channel using DNS Tunneling DNS SSH Internal DNS (DHCP, AD) HTTPS ROOT NS SSL conenct ICMP Corporate LAN Internet DMZ DNS! Problem: domain name lookup is allowed by any internal client Hacker DNS Covert Channel Attacks Inside-out Attacks Seite 16
RAT! Covert Channel using DNS Tunneling Netcat DNS Client POLL DNS Server SSH POLL HTTPS POLL SSL conenct Command File ICMP Commands Commands 1. POLL 2. GET FILE TO CLIENT Execute commands 3. PUT FILE TO SERVER 4. EXECUTE @CLIENT 5. EXIT CLIENT Covert Channel Attacks Inside-out Attacks Seite 17
Remediation Steps Netcat DNS SSH HTTPS SSL conenct ICMP! Mitigation! Conceptual: Separate internal from external DNS! Firewall: Allow DNS from internal http proxy! Firewall: Allow DNS from special sources only! Anti-Virus! VPN clients! Firewall: Deny all other DNS packets! Zone-Concept! Potential Problems! Internal applications which do not support http proxy (anti-virus pattern update,...)! VPN clients from the corporate LAN to foreign adresses Covert Channel Attacks Inside-out Attacks Seite 18
RAT Netcat! Covert Channel using SSH (Simple)! TCP/IP Gender Changer DNS SSH HTTPS 1: Standard Data General Citrix Server (Windows Terminal Server) SSL conenct ICMP Corporate LAN 2: SSH Connection Internet 3: Reverse Connection! Requirement: SSH port allowed by firewall Hacker SSH on port 22 Covert Channel Attacks Inside-out Attacks Seite 19
Data General Data General Data General RAT Netcat! Covert Channel using SSH (Advanced)! TCP/IP Gender Changer DNS SSH 1: Standard Citrix Server (Windows Terminal Server) HTTPS SSL conenct ICMP Corporate LAN Internet 2: SSH over SSL Connect HTTP Proxy (http, ftp, https) HTTP/S Proxy Content-Filter 3: Reverse Connection Hacker SSH on port 443! Requirement: HTTPS allowed for any destinations Covert Channel Attacks Inside-out Attacks Seite 20
RAT Netcat! Covert Channel using SSH (Advanced)! HTTPS Proxy Connect-Method DNS SSH HTTPS SSL conenct ICMP Covert Channel Attacks Inside-out Attacks Seite 21
RAT Netcat! Covert Channel using SSH (Advanced)! HTTPS Proxy Connect-Method DNS SSH HTTPS SSL conenct ICMP Covert Channel Attacks Inside-out Attacks Seite 22
Remediation Steps Netcat DNS SSH HTTPS SSL conenct ICMP! Mitigation! Firewall: Whitelisting of trusted https destinations! Proxy: Whitelisting of trusted https destinations! Firewall: Whitelisting of trusted ssh destinations! Zone-Concept! Comment! Content-Filter does not help (SSL) Covert Channel Attacks Inside-out Attacks Seite 23
Data General Data General RAT Netcat DNS SSH! HTTP/S Tunneling Attack! Using POST requests! Implementing own service via POST requests! POST data are in binary form HTTPS SSL conenct 1: http + applet HTTP Proxy (http, ftp, https) ICMP Corporate LAN Internet Webserver HTTP/S Proxy Content-Filter 2: ssh SSH Server Covert Channel Attacks Inside-out Attacks Seite 24
RAT Netcat DNS SSH HTTPS SSL conenct ICMP! Mitigation HTTP/S Tunneling Attack! Whitelisting https destinations! Content-filter http payload! Implementations! hts, htc! cctt (covert channel tunneling testing) Covert Channel Attacks Inside-out Attacks Seite 25
RAT Netcat DNS! Covert Channel using ICMP! ishell! BO2K (putt-plugin) SSH HTTPS SSL conenct ICMP Covert Channel Attacks Inside-out Attacks Seite 26
Covert Channel Portal! http://gray-world.net At present, we've developed some projects that allow to establish Covert Channels inside TCP (HTTP, HTTPS, MSN) and UDP protocols : Active Port Forwarder - SSL secure packet tunneling; CCTT - arbitrary TCP and UDP data transfers through TCP,UDP and HTTP POST messages; Firepass - arbitrary TCP and UDP data transfers through HTTP POST messages; MsnShell - remote Linux shell through the MSN protocol; Wsh - remote Unix/Win shell through HTTP and HTTPS protocols. Covert Channel Attacks Inside-out Attacks Seite 27
Using forbidden Internet Applications Bypass Firewall Policy Covert Channel Attacks Inside-out Attacks Seite 28
Bypassing Firewall Policy! Motivation of a Firewall Bypass?! Surfing to filtered websites (e.g. www.hacker.com)! Listening Internet radio! Chatting to Internet friends! Administration of home webservers via SSH! Up- and download of special files (EXE, ZIP) which are filtered by the corporate content filter policy! Using peer-to-peer technique or other kind of shared medium (music, programs, video,...)! Who wants to bypass the firewall policy?! Advanced users from the internal network! Freaks and individuals Covert Channel Attacks Inside-out Attacks Seite 29
Example RealPlayer! Bypassing Firewall Policy LAN Proxy Corporate LAN Internet DMZ Proxy Covert Channel Attacks Inside-out Attacks Seite 30
Hackers View Prevention (yellow) Bypass Firewall Policy Close RealPlayer port in firewall configuration Internet port for RealPlayer open? NO Deny RealPlayer Content-Type in HTTP Filter HTTP version of RealPlayer allowed? NO SSL connect open to any Internet dest.? YES Whitelisting of SSL enabled Internet dest. Deny direct TCP/ NO IP connections to any Internet dest. Other port open to NO Internet dest.? From any client YES YES Installation of client tunnel softrware (@client) YES Other protocol open to Internet dest.? (IPSEC) Whitelisting of IPSEC to desired IPSEC partners Installation of portforwarder or GW software to desired RealPlayer server (@Internet) YES Enjoy Internet Music Internet Music not possible Covert Channel Attacks Inside-out Attacks Seite 31
Bypassing Firewall Policy! Summary Who Trojan Horse Virus / Spyware Hacker Software Frustrated Employee What Want to deliver content to the Internet? Want to use forbidden Internet applications? Want to establish a remote control session? Want to upload more Trojans to the victim? How Use some kind of standard API s (mail, http) or covert channels Use some kind of covert channels Use some kind of Reverse Shell Use some kind of FTP Covert Channel Attacks Inside-out Attacks Seite 32
Remediation Steps! Mitigation! Firewall: deny any to any rules! Content-Filter: deny unwanted content-type! Firewall: restrict http/s locations! Firewall: restrict ipsec locations! Content-Filter: deny anonymizer websites! Zone-concept! Whitelisting versus Blacklisting! Listing of the allowed resources = whitelisting! Listing of the denied resources = blacklisting! Whitelisting is more secure! Blacklisting is easier to handle (conveniance) Covert Channel Attacks Inside-out Attacks Seite 33
Summary Covert Channel Attacks Inside-out Attacks Seite 34
Motivation! Who What How Who Trojan Horse Virus / Spyware Hacker Software Frustrated Employee What Want to deliver content to the Internet? Want to use forbidden Internet applications? Want to establish a remote control session? Want to upload more Trojans to the victim? How Use some kind of standard API s (mail, http) or covert channels Use some kind of covert channels Use some kind of Reverse Shell Use some kind of FTP Covert Channel Attacks Inside-out Attacks Seite 35
Background! Goals of an Inside-Out attack! File transfer from victim to hacker! File transfer from hacker to victim! Execution of binaries at victim computer! Interactive access from hacker to victim = RAT (Remote Administration Toolkit)! Accessing any Internet service (bypass corporate firewall and content-filter policy) Covert Channel Attacks Inside-out Attacks Seite 36
Attacker Profile! Scope of Covert Channels Frustrated Employees Trojan Horse Buffer Overflow Bypassing Firewall Policy SSH, ICQ, NetMeeting, RealPlayer, Special Websites, emule, Kazzaa, edonkey Installation of RAT (Remote Admin Toolkit) Reverse Shell Covert Channel Attacks Inside-out Attacks Seite 37
Summary (I)! Covert Channels! Direct! ACK tunnel! TCP tunnel (pop, telnet, ssh)! UDP tunnel (syslog, dns)! ICMP tunnel! IPSEC, PPTP! Proxified! Socks SSL tunnel! HTTP/S tunnel! HTTP/S CONNECT Method tunnel! DNS tunnel! FTP tunnel! Mail tunnel Covert Channel Attacks Inside-out Attacks Seite 38
Summary (II)! Mitigation! Zone-Concept! Separate DNS zones! Deny any direct connections from intranet to internet! Whitelisting http/s destinations! Content filtering http traffic Covert Channel Attacks Inside-out Attacks Seite 39
Data General Solution! Zone-Concept Corporate LAN Internet Webserver Terminal Server (Citrix Server) (Tarantella Server) 1: RDP, ICA, AIP Remote Desktop Images 2: HTTP / HTTPS Covert Channel Attacks Inside-out Attacks Seite 40
Appendix Covert Channel Attacks Inside-out Attacks Seite 41
Links! References! http://www.sans.org/resources/idfaq/covert_chan.php! http://www.firstmonday.dk/issues/issue2_5/rowland/! http://gray-world.net! http://www.nocrew.org/software/httptunnel.html! http://sourceforge.net/projects/javahttptunnel! http://nstx.dereference.de! http://www.detached.net/mailtunnel Covert Channel Attacks Inside-out Attacks Seite 42