Home Internet of things Command and Control – WebSocket

Command and Control – WebSocket


and – 

Everyday new methods and tools are being discovered that could be used during red team engagements. Special focus is given into command and control channels that can evade security products and can hide traffic by using non-conventional methods. Arno0x0x discovered that some web gateways doesn’t inspect web socket content. Therefore it could be used as a communication channel for execution of arbitrary commands to hosts.

Arno0x0x developed a command and control tool (WSC2) which implements this method. The tool is written in python and can be used for data exfiltration since it provides file transfer capability and shell functionality.

WSC2 - Main Console  - wsc2 main console - Command and Control – WebSocket

WSC2 – Main Console

It is possible to clone a legitimate website that will be hosted in a webserver (attacker machine) and will contain the malicious websocket code. At the time being WSC2 can generate three different java script stagers.

WSC2 - Generation of Stagers  - wsc2 generation of stagers - Command and Control – WebSocket

WSC2 – Generation of Stagers

When the stager will be executed on the target a connection will be established with the WSC2 controller.

WSC2 - Agent Connection  - wsc2 agent connection - Command and Control – WebSocket

WSC2 – Agent Connection

Alternatively the HTML stager can be executed when the user visit the malicious URL.

WSC2 - Cloned WebSite  - wsc2 cloned website - Command and Control – WebSocket

WSC2 – Cloned Website

From the connected agent (host) it is possible to get some basic shell functionality by using the cli command.

WSC2 - Shell Functionality  - wsc2 shell functionality - Command and Control – WebSocket

WSC2 – Shell Functionality

Commands can be executed from the shell.

WSC2 - Command Execution  - wsc2 command execution - Command and Control – WebSocket

WSC2 – Command Execution

Additionally WSC2 provides file transfer capability. Files that will be retrieved from the target will be stored in the incoming folder of the tool.

WSC2 - Data Exfiltration  - wsc2 data exfiltration - Command and Control – WebSocket

WSC2 – Data Exfiltration

Files can be hosted also on the target to perform further post-exploitation activities.

WSC2 - File Transfer  - wsc2 file transfer - Command and Control – WebSocket

WSC2 – File Transfer

The uploaded file will be stored on the folder which the stager has been executed initially.

WSC2 - File Stored  - wsc2 file stored - Command and Control – WebSocket

WSC2 – File Stored

From the perspective of a defender this will look like web traffic coming from Internet Explorer which will not raise any suspicion.



Source link


Please enter your comment!
Please enter your name here