HTTP Statuses as C2 Commands and Compromised TLS

HTTP Statuses as C2 Commands and Compromised TLS

Hack In The Box Security Conference via YouTube Direct link

Intro

1 of 17

1 of 17

Intro

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

HTTP Statuses as C2 Commands and Compromised TLS

Automatically move to the next video in the Classroom when playback concludes

  1. 1 Intro
  2. 2 The plan
  3. 3 How it all started
  4. 4 Why another trojan? - Keylogging? May be too loud - Decrypting? May be not in reasonable time with current TLS Certificates pre-installation? Could facilitate MITM, but what about NAT?
  5. 5 "Client hello" field
  6. 6 PRNG to mark it
  7. 7 Chrome and Firefox To patch browsers' PRNG functions in memory and TLS handshake developers have to analyze Firefox sources Chrome binaries
  8. 8 Silently marked
  9. 9 Why on the fly? Once our telemetry shows new URLs and that time installers were available on the warez web-site
  10. 10 Infection chain
  11. 11 C2 communications HTTP statuses 422-429 (IETF RFC 7231, 6585, 4918) are the async commands from C2
  12. 12 Encryption
  13. 13 Some math inside
  14. 14 To do or to use? Don't reinvent the wheel just realign it.
  15. 15 It you decide to do In config: version, target ID, URL. Almost certainly constructed with builder
  16. 16 Second way pros Knowledge separation
  17. 17 First way pros Speed for the first sample

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.