HTTPS Command and Control
With my recent exploration in covert channels, one common and simple channel keeps reoccurring: HTTP/S. This is a great covert channel because of its versatility: you can use legitimate content servers, you can easily encrypt the entire channel, use techniques like certificate pinning to authenticate connections while still looking legitimate, or you can get out of a well filtered network through services such as corporate proxies. And a lot of malware uses HTTP/S for it's command and control (C2), such as the old comment crew, botnets, and even new targeted campaigns, so it's great for real world threat simulation.
I developed a proof of concept (POC) for testing detection of one off / unknown HTTPS C2 as well as to aide penetration testers in high security environments. The scenario this is designed for limited egress options, with an outbound https mitm proxy, such as Bluecoat proxies. This concept is also highly used in malware, such as Kurton from Mandiant's APT1 report which is proxy-aware malware and has a much higher chance of getting out of the network when compared to arbitrary TCP/UDP C2 protocols. Some malware will use full on REST api-like requests, while malware such as Murcy uses custom HTTP headers to transmit its commands. So as you can see, even within the channel of HTTP/S you have many options of where you want to place your command instructions. This is a fun project because there is so much room for creativity and customization. My POC remote access trojan (RAT) is in a stand-alone python script, so we can build it down to a native executable for spear phishing. The server is in nodejs, for exploring it's asynchronies / api capabilities as a web server and application language. All in all, I had a lot of fun messing with both the nodejs server and python request libraries! That said, this project is a continuous work in progress, so make sure to stop back for recent updates or you can even request features in the comments or on the github repo.
My code is freely available for those looking for a template or just to mess with a web c2 remote access trojan. However, if you are looking to write your own 'unknown' web based remote access trojan, I've included some really good programming guides using other platforms, such as C# and PHP (warning some strong language in those demos). Programming your own backdoors, exploits, and security tools is always a great idea, so if you don't know how to write one of these yourself go through some examples or ask me questions regarding my POC! Enjoy all :)
I developed a proof of concept (POC) for testing detection of one off / unknown HTTPS C2 as well as to aide penetration testers in high security environments. The scenario this is designed for limited egress options, with an outbound https mitm proxy, such as Bluecoat proxies. This concept is also highly used in malware, such as Kurton from Mandiant's APT1 report which is proxy-aware malware and has a much higher chance of getting out of the network when compared to arbitrary TCP/UDP C2 protocols. Some malware will use full on REST api-like requests, while malware such as Murcy uses custom HTTP headers to transmit its commands. So as you can see, even within the channel of HTTP/S you have many options of where you want to place your command instructions. This is a fun project because there is so much room for creativity and customization. My POC remote access trojan (RAT) is in a stand-alone python script, so we can build it down to a native executable for spear phishing. The server is in nodejs, for exploring it's asynchronies / api capabilities as a web server and application language. All in all, I had a lot of fun messing with both the nodejs server and python request libraries! That said, this project is a continuous work in progress, so make sure to stop back for recent updates or you can even request features in the comments or on the github repo.
My code is freely available for those looking for a template or just to mess with a web c2 remote access trojan. However, if you are looking to write your own 'unknown' web based remote access trojan, I've included some really good programming guides using other platforms, such as C# and PHP (warning some strong language in those demos). Programming your own backdoors, exploits, and security tools is always a great idea, so if you don't know how to write one of these yourself go through some examples or ask me questions regarding my POC! Enjoy all :)
