Yossi Sassi, Dor Amit - The Art of C2: Myths vs. Reality

we're ready to invite to the stage you'll see sassy and dora meet let's give him a warm welcome [Applause] right hello everybody very good to be back in the afternoon together with my friend and colleague co-founder of channel security amit hi so uh today we're going to speak with you briefly but very much to the point about the myths behind the command and control server command control channel and from our own personal experience as red teamers in four continents around the world and show you uh what we really think about this as an approach so the problem begins uh with the perception or or rather lack of it as you know in this game breaches are inevitable any

organization will be hacked given motivation and time and the perception of many organizations especially that invest in seven figures etc or more is that they have this gate and they have the gatekeepers and they're all protected and that's a nice illusion but in reality when we come into an organization whether it's it's a state agency or or a financial customer or whatever or a huge telecom or a small company we always see this reality there is a gate but there is uh things that we find that we can bypass the gate around it so this is the real reality we live in and of course there is the known axiom that defenders uh the blue team's really in

generalizing of course but they think normally in lists they just check boxes that's how the tools are built the ui is is even matching the mindset while us you know attackers adversaries we think in graphs we move laterally and we can find the right path shortest path to success so with that said uh let's talk about this myth uh you obviously need the tcp connection for a command control server right i mean udp tcp or socket whatever not so sure your c you think the perimeter is enough to stop a connection to a remote target what what what are you saying you mean do we need a tcp connection for cnc server i don't think so

can you explain what what do you mean well i think there are many methods and their assumption that we need an active connection to the endpoint in order to gain command and control but today we're going to see some proof that it's not always the case all right so you say it's not about an established connection north tcp nor udp or whatever uh basically what you're saying it's a mindset just a mindset exactly okay i hear you and and i raise with uh yeah sure so let's take an example what do we know as an asynchronous mechanism store on ford of course email smtp what about your email client can outlook really go wrong you and

serve as a command control channel it is okay so let's give it a shot so we did give it a shot and uh we are now we look at the machine this machine uh that you see here in the demo has a folder c temp x fill and there are a bunch of uh documents here but we wanted the documents of a project called project x we want to execute it from the machine and we have an outlook account as you can see this outlook is connected to a gmail account the sent mail the sent items is are blank it doesn't have anything there and just two items in the inbox what we're going to do now is we're

going to infect the machine with the a small payload that i prepared in advance and i'm going to show the payload in a second but then i'm going to show you how i'm going to attack this machine all i do to attack this machine once i infected it is simply send it an email message so somewhere from the world somewhere from the internet from any mail provider that i choose i'm just sending uh a message but pay attention then in a body i'm looking recursively for all the files that match product project x and i'm asking that to be the result of of this payload and i'm simply sending an email message from somewhere in the internet

and i'll switch back to our outlook client i deliberately delayed it a bit so you'll see what's happening pay attention that yeah you see for a second my machine my message and wow i'm shocked yeah can you believe it it's magic and now it's gone not only the message in the inbox is gone also the sent item the proof for something that was sent is also deleted and if we come back to our attacker machine our attacker email client from the internet you can see the exfiltrated document so essentially we got the document out and and the uh machine basically attacked itself from an asynchronous method with a day-to-day tool such as an auto client

amazing and and here you can see the the loop it's it's a very simple loop it's living off the land as always we love living off the land we don't want to introduce too much complicated stuff when we don't need to it's just the simple outlook object model we're running a simple loop when we are looking at the sender if the sender is the one that we are looking for we just invoke expression that's a simple partial code then we create the message we attach uh the results coming back and after a couple of seconds we also after we see that the message was sent we also delete the message from the uh sent items

um so other places we can look at um what about the audit logs there are so many of them right i mean they're just collecting a bunch of stuff we use them for reconnaissance naturally we do but what can we do something else about them i think yes you'll see first your demo was really really impressive and what i realized just now after seeing it for the first time yeah is that this technique and other techniques usually involving um the initiation of um connection to the endpoint that we want to get um control over right right i need a connection somehow yeah it could be a reverse shell http using application layer like http dns maybe a raw tcp

socket but eventually if we have a perimeter control this is at least the assumption in most places right like a firewall or other filtering mechanism it's going to block the connection and if we have like a firewall rules that deny all inbound or outbound connection we're going to have a problem even with this amazing technique right right so i'm wondering if you mentioned firewall so if i'm going to if there is a firewall with deny all incoming even denial outgoing to this machine can you do something about that i think we can okay what if we could let's talk about the idea first before we see a nice demo and what if you could take the payload

that we want to transfer convert it into a byte array and then use this byte array to spoof a list of ip addresses and then address this endpoint this target with this list of spoofed ip addresses the connection of course going to be dropped because the firewall configured to deny all connection right all inbound connection but it's going to have this spoofed ip address that contain the converted payload inside the log so i think it sounds complicated i think i need to see it you need to see a demo yeah right if you will okay just because you asked thank you okay so is it playing uh no no okay great so what we're going to see

now is the target machine and we're going to witness that the firewall indeed have a deny all inbound connection and trust me it also have for the outbound rules as well okay we can see some demonstration of the log files okay and see that we have a block traffic open sesame okay and here we have a drop udp connection and soon enough we're going to test it in a live in within a icmp request with a ping request from a different workstation here i enabled as well the gpo mechanism for auditing data in the event log which is the audit filtering platform only for failure events that's enough so let's do a ping to this target

machine and see what happened okay all right i'm a bit scared what's gonna happen i'm scared as well nothing working at least you're here so i'm not too scared oh okay thanks okay let's go back to our target machine and see what happened so actually the auditing in the log file you're going to have a little bit of a delay because of the mechanism windows firewalls working but if we go to the event log in just a second okay refresh it and then we can see a lot of audit failure events and as you can see we have as the source address my address this is the target address and the destination port and protocol is

one which is sent for the icmp okay we can see indeed it was blocked and when we go again to the file log we can see here we have a dropped icmp connection so the firewall indeed block all the connection all the inbound connections all right so what we can do now we first clear the log so when we establish our method we can see it more clearly without the noise okay we go back to the source machine and over here i'm going to run a command we're going to see it soon on the screen and then i'm going to stop the video for just short period of time and explain what we're going to witness

okay is that some kind of a crafted packet or exactly so what we're going to do now it's actually the following thing we're going to take the following command which is a powerful command okay get date which will give us the current date and put it and write it into a file okay into a text file inside of the directory of c temp and the rest of the text that you see over here okay if the file is not existing it will be created because we have the force parameter okay and this command is going to be converted into a byte array and then to the spoofed ip list okay and then the agent that i already

pre-installed on the target gonna take it convert it back into the text and invoke it using powershell interpreter okay now we have a little bit of a problem because if we send a lot of raw data like this a lot of spoofed ip addresses how can i recognize that we reach to the end of the payload and we don't when we don't just having additional ip address that comes from some connections over all the place what do you think you see what we need to do yeah i think there's a problem here because it needs to be sequential right even that you send those bytes and as spoofed source addresses you still need some signaling mechanism right

yeah i think you you you probably did you do that already or yeah i did you did yeah i did you see it you see yeah yeah you'll see i thought about it advanced yeah okay i think about stuff yeah yeah lucky me so we have here the magic end packet so what is the exactly magic end packet this is a special crafted ip address which will be 55.55.55.55 this is just a um random ip address that i chose and this is going to signal my agent on the target that this is the end of the payload and you need to take all the spoofed messages until this exactly event and then convert it to the

payload and run it so let's go back we just initiated the command let's go back to my target machine and see what happens so as you can see my temp folder is now empty it's got nothing inside it but we got all the messages and coc we got here all the spoofed ip addresses which has a benefit on its own because right now if someone will investigate this thing you won't be able to know whether it's just a random ip address or not and here the file was created and that's the magic and here is the magic end packet exactly now wait wait before you continue i want to mention something you see the source port the destination

port are zero and the protocol set to six this is the convention that tells my agent inside of the target that all of the ip addresses okay that initiated connection with this pattern with this convention are belonging to the same payload so in addition to my magic end packet okay that we see over here we have for all the packets the same pattern so we can get them together inside the original payload so basically not only did we spoof who we are we spoofed the identity of the attacker we also get the payload executed just by dropping so by the defenders are basically attacking themselves exactly and as you can see or see we got

the log file that was created with the date inside with the current date and what can you learn from this information you see i see it's one a.m which means i need more sleep than i need more sleep need a vacation definitely yes we'll speak about that vacation in a short while very cool thanks thank you very much that's that's really cool so uh how about people that don't have uh you know they have air gap networks so you need to bypass those parameters without an internet connection whatsoever so this could be nice once we infect one machine in in also in a closed network but there are other mechanisms physical things that we can with physical access today cyber

physical kinetic to cyber and cyber to connect it is attacked that we see all the time and we perform all the time so there are a bunch of tools some commercials some that we can build and we build by ourselves those that can connect uh via usb or directly to rj45 and then connect to some other wi-fi or gprs or whatever we can also use some passive equipment that can also run payloads so basically we can uh prepare the payloads in advance and just make sure that this equipment does that or we can also do uh if we have physical access to an equipment for example you can go to the projector or to a machine to a screen a pc's a

screen and just perform many in the middle with a box an hdmi man in the middle you can hack my projector you'll see uh i can project your hack yeah i can we're not projecting the hacker you can also protect the projector and think about it you know about meeting rooms in very confidential and strict places etc and also with cell phones okay what we can do with cell phones you know we can pair them like we did in one attack we paired a very simple phone uh with uh in a bluetooth connection with the machine in in proximity and basically attacked that machine with text messages so we would send text messages they would be

sent in bluetooth to the paired device executed in the network and then send the information back to us and what about wi-fi what about you know just random ssid is going around what can they do to us what do you think well i think there is a lot of potential you come up with an idea how to explain that yeah i think we should research that oh yeah we did that okay so please yeah so this in this example i'm going to use uh i just put this payload on on a rubber ducky but i'm going to just connect that and and what this does is essentially as you see the the first line of code is

essentially running an elevated uh an elevated process with partial and what it will do now is essentially run a very short function that what this function does wait a minute catch the magic let's close the window behind and then we come back of course when we do it really we don't have even this window but i store my magic pocket you'll see yeah i reused it i abused the dub user um so and what we do here is for now what the machine is doing is listening as you can see now it's connected to some networks and it's uh listening in the background to uh looking for ssids in range and i'm going to open my mobile hotspot sharing and

i let the machine read periodically every few seconds refresh the the wi-fi networks in range and as you can see a payload was executed here right so my payload was just who am i slash priv but every command i will run now for my ssid it's looking for a very specific ssid as you can see i'm not connected to the machine the only thing it's running is it's looking for an ssid with some sort of pattern and you can actually use that and abuse that in a variety of ways for example you can prepare some functions uh actually creating a macro of commands that just run initiated right whatever you want we can we can

just recreate the functions for example a function that crawls in in files around the organization and uses some regex patterns and we can just send a guy with an infected mobile even without his knowledge just to bypass to pass in proximity of that machine and it will attack itself and i now changed the name of the network as you can see uh to something else and of course we couldn't end this session without a calc so we had to pop a calc so to summarize uh all it takes really to hack any organization in the world is for you to be creative be be the disney of of your cyber uh operations uh motivation and time is all

it takes if you can dream it we can make it okay if you can define it we can do it the hard part is you to define what you want humans you know correlate signals please don't just look at network connections and processes the edr here the firewall there challenge your blue teams uh make them raise the bar to the next level because tomorrow it's uh today it's maybe scriptkey this copy paste tomorrow it can be somebody as creative as a door and he is very creative and uh so get creative with your team it pays it pays your bills first of all because it's a job it also pays off because it's effective and it's fun as

you saw and remember that remember that we lose and win with points there are no knockouts no silver bullets in cyber uh always challenge yourself uh always be humble with the abilities of your uh the other side whether it's the blue females or the adversary and just enjoy and have fun thank you very much