Book 5: Covering Tracks on the Network

Question 1

What is the most common way for an attacker to hide information as it is transmitted across a network?

Answer 1

tunneling

pg 81 book 5

Question 2

What is tunneling?

Answer 2

one protocol carried inside another protocol.

pg 81 book 5.

Question 3

If use tunneling, what protocol will the network see?

Answer 3

Network sees only second protocol.
Example: “shell traffic inside ICMP packets” network would only see the ICMP packet.
pg 81 book 5.

Question 4

If the host protocol being used to tunnel/transport the info is allowed to run, then the protocol inside like shell traffic will be able to traverse the network?

Answer 4

true

pg 81 book 5

Question 5

Tunnel sender side contains?

Tunnel receiver side contains?

Answer 5

server side: information to put into the tunnel
reciever side: envelope opened and info is removed from the tunnel.
pg 81 book 5

Question 6

How can attackers evade detection?

Answer 6

Tunneling information. a more complex method to evaluate and identify.
pg 81 book 5

Question 7

What ways can an attacker tunnel data to evade detection and cover their tracks?

Answer 7

Tunneling via

1. Reverse HTTP/HTTPS Shells
2. ICMP Tunnels : Ptunnel tool
3. DNS Tunnels: DNScat2 tool
4. By blending in

Question 8

Would an attacker want to establish a backdoor using protocols that are common for the network? if so, give example.

Answer 8

Yes.
example: HTTP.
More:
1. Establish a backdoor using protocols that are common for network
2. Exploit a system, start some sort of command and control mechanism
3. Attacker once compromises a system will need to figure out what protocol to use for c2
4. can compromise the internal machine to make internal HTTP requiests out to my attacker server(CC mechanism)

Question 9

Reverse HTTP is done over both ___ and ___ HTTP channels.

Answer 9

insecure and secure

pg 82 book 5

Question 10

How would reverse HTTP/HTTPs shells work?

Answer 10

at predetermined intervals the HTTP program on the internal system will surds the internet asking for commands from the attackers external machine.

Attacker types commands at the external machine on the internet and sends the commands back to the victim machine as HTTP responses.

Question 11

Are you safe from Reverse HTTP/HTTPS tunneling if you require HTTP authentication with static passwords?

Answer 11

no. you are not safe if you require HTTP authentication with static passwords to get out of your firewall.

Question 12

Reverse HTTP shells allow for the attacker to program the system with a user ID and passsword that will be given to the outgoing web proxy firewall for authentication.

Answer 12

True.

Question 13

Name the tool that carries data inside the payloads of ICMP packets?

Answer 13

Ptunnel

Question 14

What is Ptunnel?

Answer 14

ICMP tunneling tool that carries TCP connections inside ICMP Echo and ICMP Echo Reply packets.

Question 15

Do alot of networks allow outbound ICMP Echo packets and their associated responses?

Answer 15

Yes.

Question 16

what is Loki?

Answer 16

Tool that carries shell between its Linux client adn Linux server software using ICMP echo and reply packets.

Question 17

What is ICMPShell?

Answer 17

Linux Shell Tool

Question 18

Ptunnel is best used on a network that blocks out __ and __ packets but allows you to ping arbitrary hosts on the internet.

Answer 18

TCP and UDP.

Question 19

Ptunnel consists of how many components?

Answer 19

two. Ptunnel client and Ptunnel proxy

Question 20

Ptunnel proxy can be configured to authenticate the Ptunnel client using what kind of authentication algorithm?

Answer 20

MD5 based challenge/response

Question 21

The Ptunnel client and the Ptunnel proxy are the two main components of ___ tunneling.

Answer 21

ICMP tunneling.

Question 22

What is the tool used for DNS tunneling?

Answer 22

DNSCat2

Question 23

DNS Tunneling/ DNSCat2 is similar to what?

Answer 23

Netcat

Question 24

How is DNS Tunneling/DNSCat2 similar to netcat but differs?

Answer 24

similar, but unlike netcat DNS tunneling does NOT directly talk to the attacker server; instead it uses the victim network infrastructure to relay the malicious content, bypassing many different filtering mechanisms

Question 25

Netcat will talk directly to the attacker server?

DNS tunneling will talk to the victim network to then relay the malicious content?

Answer 25

true.

Question 26

Netcat talks directly to the attacker server and DNS tunneling does not/

Answer 26

true.

Question 27

What would prevent an attacker to reach a C2 system directly on the network?

Answer 27

blocked egress ports, authentication-required HTTP proxies

Question 28

How does DNS tunneling work?

Answer 28

attacker does not directly talk to a DNS server on the internet; instead the attacker queries the internal DNS server, using crafted query data that the internal DNS server then sends to root-level DNS servers on the internet. The root level DNS servers then foward the queries to the attacker-controlled DNS server. which extracts the crafted query and performs an action on the attacker supplied data.

Question 29

Does DNS tunneling talk directly to a DNS server on the internet?

Answer 29

No. talks to the internal DNS server

Question 30

DNS tunneling Process victim –> ____ –> firewall –> root level DNS Server –> …. –> ____

Answer 30

Internal DNS server

Attacker Server

Question 31

What is DNS?

Answer 31

Translates domain names to IP addresses so browsers can load internet resources.

Question 32

Extra: detecting DNS?

Answer 32

look for unusual data being sent back and forth using statistical techniques. Looking at the number of DNS domain requests compared to the normal baseline

Question 33

What isDNSCat2?

Answer 33

A DNS tunnel that creates an encrypted C2 channel to let you upload/download files, run a shell, etc

Question 34

DNSCat2 is an implementation of __ tunneling consisting of an attacker process that partially implements the DNS server protocol and a ___ for Linux or windows victims.

Answer 34

DNS

client

Question 35

DNSCat3 implements DNS tunneling attack, providing __ like functionality over ___. While also providing __ and end-to-end transport encryption.

Answer 35

netcat
DNS.
authentication.

Question 36

What can attacker do when dnscat2 is successful?

Answer 36

upload and download files, execute local system commands, set up new local listening ports for remote networking…etc

Question 37

DNSCat2 is a a popular command & control (C2) mechanism, even though it is easy to spot?

Answer 37

true.

Question 38

Other mechanism used to exfil data or establish a c2?

Answer 38

email, messaging tools, social media sites, cloud services….etc

Question 39

How could we prepare for protecting our network?

Answer 39

endpoint security tools, app whitelisting, UEBA tools.
Limit egress network protocol access, use authenticated proxy access for internet resources access vs direct unauthenticated access.

Question 40

A strong defense against c2 frameworks?

Answer 40

using authenticated proxy access for internet resource access vs direct unauthenticated access.

Question 41

How could we identify attackers using tunneling?

Answer 41

understand what’s on our network and systems look like to perform threat hunting.
spend time identifying which processes are running on systems, kind of network activity that is “normal” use a baseline to compare.
React to unauthorized netwrok egress access attempts.

Question 42

Good technique to identifying tunneling- anomalous network activity

Answer 42

RITA - real intelligence threat analytics

Question 43

What is RITA?

Answer 43

a sophisticated network analysis tool

Question 44

Are IDS a useful technique to detect C2 and exfil techniques?

Answer 44

no. lack insight into encrypted streams, blended protocols.