Saturday, December 23, 2017

Firefox tunnel


A crucial element for the Red Team's task is a stealth in attack, success is its ability to espouse an aggressive mindset, a true  cracker's point of view, if the red team  win, can help to construct the better defense for the Blue Team at the future. Don't do bear  about this content, all content here have a good purpose.

At this blog post, the content is about a different attack approach to get remote control of the machine and bypass the firewall.  We have a lot of weapons to work in that perspective, something like veil framework, msfvenom...  but sometimes following different  path,  will generally bring good result.

Illustration by Anthony S Waters
The attack have a objective to use firefox to make all communication between client and server. Using hookings to do that, is not impossible, but DLL injection sometimes  is boring to implement, can be harder to turn in portable, do you know that ? x32 and x64 each architecture  need different approach to develop(at the future i discovery that the easyhook api can solve that).  Another day i was studying the firefox internals, reading something about the use of SQLite to work with cookies, that give to me a different focus.

Look that following:
That is a full plan to create a programm to use firefox with tunnel, i gonna explain in each step:

1- Programm of tunnel call firefox browser in hidden mode, sending a URL, that URL have a evil server, that evil server send a  cookie with command.

2- The  tunnel  get cookie of  evil server in cookie.sqlite, uses that to command shell

3- Result of command shell is used to write a HTML with javascript to make auto submit with content result.

4- Programm open writed html in hidden mode to send the result of CMD to evil server.

Now you can look that following:

For the sake of good conclusion,  i wrote the code and i recorded the proof of concept, the cool fact of empirical point is turn all in reality, you can view all stuff  at that  following:




Future insights:


Insert persistence, using function RegOpenKeyEx() to open path: 
"Software\Microsoft\Windows\CurrentVersion\Run" 
write with function RegSetValueEx() to launches a program automatically at system startup.

*Using images in I/O using steganography.

*Running process in  hidden mode.

*Turn tunnel unkillable process.

Possible mitigations:


* Global hooking, to get  OpenFile(), CreateFIle() functions and filter argv "cookie.sqlite" and block  when programm route is different of firefox.exe.

* File watch api to monitor the database of cookies.

* Programm to open database of cookies by periodicity and search evil domain or  hosts, that can use black list to find and uses DELETE query to remove evil cookie.






Thank you for reading this, cheers !

No comments:

Post a Comment