Shulou(Shulou.com)06/02 Report--

This article shows you how to use the LAME technology for horizontal penetration through SSL encrypted communications, the content is concise and easy to understand, it can definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

This paper mainly discusses a new horizontal penetration technology called "LAME" for the red team and its mitigation measures. "LAME" technology is a technology that uses trusted SSL certificates to establish encrypted communication channels in the internal network. In August, vangelos Mourikis and Nikos Karouzos, members of Deloitte Greece's moral hacker team, identified and demonstrated the technology at the Community of practice (CoP) summit in Dublin.

Brief introduction

During the penetration test or red-blue confrontation, we will make every effort to obtain remote access to the target intranet, enhance permissions within the environment, establish a lasting communication channel for continuous monitoring, and continue to expand the results until the program goals are achieved.

In order to establish a hidden and lasting communication channel, the red team often uses many lateral penetration techniques. Usually, their approach is to establish channels based on TCP/IP communication protocols (such as DNS,SMB and HTTP) to simulate expected network traffic and user behavior, so as to remain undetected. But these protocols use unencrypted communications, so we can easily identify these traffic through some network monitoring tools, NIDS/HIDS, etc. In addition, even if you use an encrypted channel with a self-signed certificate (such as HTTPS), it will also trigger an alert to the intrusion detection / surveillance system, because it is a very common medium for man-in-the-middle (MiTM) attacks.

The updated antivirus software can easily identify these technologies and use the latest heuristic engines that can associate and block these types of communication channels.

Figure 1-unencrypted communication channel (HTTP):

Figure 2-attempting to use a self-signed SSL certificate, performing payload generates many error messages and leaves a large number of traces for the intrusion detection / monitoring system:

"LAME" technology

So what if we could use trusted SSL certificates for horizontal penetration in the intranet?

Fact 1. Domain name system (DNS)

The domain implementation and specification RFC 1035 (November 1987) states that "the RDATA portion of line An in the main file is an Internet address, represented as four decimal digits separated by dots, without any embedded spaces (for example," 10.2.0.52 "or" 192.0.5.6 ")."

Private IP address assignment is described later (RFC 1918-Private Internet address allocation, February 1996), without specifying any security considerations related to the allocation of public DNS records to private IP addresses.

Although many publications make different recommendations, you can still assign A records of public domain names to private (internal) IP addresses.

2. SSL certificate

The verification and signing of SSL certificates performed by the certification authority (RFC 6125) depends to a large extent on the checking of the corresponding DNS names. To improve efficiency, the signing certificate is not bound to the corresponding IP address, so changes in the underlying schema do not affect the validity of the certificate. Therefore, we can issue trusted SSL certificates for public DNS names that resolve to private (internal) IP addresses.

Prepare for

For proof-of-concept (PoC) purposes, we use free services like Cloudflare and LetsEncrypt.

In order to implement LAME technology, we also need to do the following:

Use LetsEncrypt's DNS authentication method to issue a SSL certificate for internal.dotelite.gr.

Use CloudFlare to assign the DNS A record internal.dotelite.gr to the internal IP address: 192.168.72.141.

Figure 3-trusted SSL certificate for the public DNS name resolves to the internal IP address:

Execution

Figure 4-the following is the flow chart of the implementation of the "LAME" technology:

The red team has deployed a command and control (CNC) server at the IP address 192.168.72.141 and configured a HTTPS server for internal.dotelite.gr using a signed SSL certificate.

After obtaining remote code execution on the victim machine (192.168.72.140), the red team established an encrypted communication channel. With PowerShell oneliner, the victim goes through the following process and eventually connects to the internal.dotelite.gr:

1. The victim is on the internal DNS server, requesting internal.dotelite.gr 's DNS record.

two。 The internal DNS server forwards the DNS record request to the root DNS server on the Internet.

3. A public DNS server, such as CloudFlare, responds with an DNS record pointing to the internal IP 192.168.72.141.

4. The internal DNS server receives the above DNS records.

5.DNS records are stored in the cache of the internal DNS server and can provide multiple similar requests on the intranet.

The 6.DNS records are forwarded to the victim.

7. The victim will use a trusted SSL certificate to establish an encrypted communication channel with the attacker's internal IP 192.168.72.141.

Figure 5-PowerShell oneliner "LAME" technology (Step 0):

Figure 6-DNS resolution traffic (Steps 1-6) that resolves internal.dotelite.gr subdomains to IP 192.168.72.141:

Figure 7-TLS Communications (Step 7):

Figure 8-full-featured encrypted communication channel in the intranet (Step 7):

Figure 9-Network traffic (Step 7) executed by the above command:

It is not impossible to obtain a trusted SSL certificate for a public DNS name that resolves to an internal IP address. Once acquired, we can use it to establish an encrypted communication channel in the internal network. This can not only make our communication channel more hidden, but also help us evade the intrusion detection / monitoring system.

In addition, LAME technology can also be used in APT. Combined with port forwarding and proxy, the red team can create multiple hidden pivot points in the target environment after the initial foothold of the internal network, and control it through an external CNC server on the Internet.

Mitigation measures

Due to the encryption of communication and the validity of exchanging SSL certificates, this horizontal penetration technology is difficult to detect. Blocking HTTPS traffic between hosts in the internal network may cause problems with the availability of legitimate services, so it does not seem to be a feasible solution. Our recommendation is to enforce the use of centralized DNS servers in the internal network and to create specific monitoring cases for all requested DNS entries. Analyze parsed DNS records and further investigate potentially suspicious entries assigned to internal IP addresses. In addition, we recommend that host-level monitoring be enhanced to timely identify alternative attack paths that may have the same results (for example, monitoring changes in local "etc/hosts" files).

In addition to the above recommendations, you can also enable anti-rebinding protection in an internal centralized DNS server (for example,-- stop-dns-rebind,-- rebind-domain-ok option in dnsmasq).

The above content is how to use the LAME technology of horizontal penetration through SSL encrypted communications. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.