July 28

Webinar takeaway: Network Protocol Abuse – How Attackers Profit by Playing by the Rules

0  comments

My key takeaways

  • Analogie:
    • north = ingress traffic
    • south = outgress traffic
    • east-west = lateral movement
  • HTTP is born in 1996
  • HTTP status code 418: "I’m a teapot"
    • The HTTP 418 I’m a teapot client error response code indicates that the server refuses to brew coffee because it is, permanently, a teapot. A combined coffee/tea pot that is temporarily out of coffee should instead return 503. This error is a reference to Hyper Text Coffee Pot Control Protocol defined in April Fools’ jokes in 1998 and 2014.

      Some websites use this response for requests they do not wish to handle, such as automated queries.

  • Status code 402 "Payment required" = COMPfun malware
  • ICMP packets leave a lot of space for data
    • Even ICMP can be used as C2 channels
  • labels in DNS store 64 chars
    • 32 bytes to send data
    • responses are time outs
  • dns is not case sensitive but if cases should be preserved
    • can also be used as binary communication channel
  • be aware that tools might have flaws too and not showing the raw data
    • example Zeek and Shellshock

Env

additional links

User comments

  • FACEsalad — heute um 19:27 Uhr

    100: Hold on; 200: Here you go; 300:Go Away; 400:You F@#k up; 500:I F@#K up

  • Man0nTh3M00n — heute um 19:54 Uhr

    Dns data exfiltration could reach 200 kbit/s , so enough to get few sensitive data put

  • Cactus — heute um 19:58 Uhr

    Keep in mind that the PCAPS may also trigger Windows Defender et al


Tags

C2, Network+


You may also like

Webinar takeaway – The Ins and Outs of RITA

Webinar takeaway – The Ins and Outs of RITA

Webinar takeaway – Malware of the Day

Webinar takeaway – Malware of the Day
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}