SlideShare a Scribd company logo

XFLTReat: a new dimension in tunnelling

Shakacon
Shakacon

This presentation will sum up how to do tunnelling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.

Technology
1 of 41
Download to read offline
XFLTReaT: a new dimension in tunnelling Balazs Bucsay / @xoreipeip Senior Security Consultant @ NCC Group
Bio / Balazs Bucsay •  Hungarian hacker •  Senior Security Consultant @ NCC Group •  Strictly technical certificates: OSCE, OSCP, OSWP, GIAC GPEN, CREST CCT/2 •  Lots of experience in offensive security •  Started with ring0 debuggers and disassemblers in 2000 (13 years old) •  Major projects: •  GI John (2009) – Hacktivity •  Chw00t (2015) – PHDays, DeepSec, Hacktivity •  XFLTReaT (2017) – Shakacon ;) •  Twitter: @xoreipeip •  Linkedin: https://www.linkedin.com/in/bucsayb
Presentations •  Talks around the world: •  Honolulu (HI) / Shakacon (returning speaker) •  Atlanta (GA) / Hacker Halted •  Moscow (RU) / PHDays •  Oslo (NO) / HackCon •  Vienna (AT) / DeepSec •  Budapest (HU) / Hacktivity •  London (UK) / Inf. Gov. & eDiscovery Summit •  There is some more space here… @xoreipeip
Tunnels
Without a tunnel 5 @xoreipeip
With a tunnel 6 @xoreipeip
Why would one use tunnels? •  Work VPN – to access the corporate internal network •  Hide real IP address •  Whistle-blowers/Journalists to communicate anonymously •  Torrent •  ISPs filtering some ports (secure IMAP, SMTPS, NetBIOS, …) •  Bypass corporate proxy policy •  Bypass captive portals!? •  What about you? @xoreipeip
Have you done … tunnelling? Protocol Tool TCP @xoreipeip
Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP @xoreipeip
Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP @xoreipeip
Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP Hans Ping Tunnel ICMPTx DNS @xoreipeip
Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP Hans Ping Tunnel ICMPTx DNS iodine DNSCat* Ozymandns HTTP CONNECT Proxifier Pure HTTP ? TLS v1.2 ? TLS v1.2 with Kerberos auth ? @xoreipeip
Oh no! I forgot to set up my OpenVPN on port 443 (Port TCP/443 unfiltered) Two days on a ferry
10 hour flight to Japan (ICMP unfiltered)
At the airport (DNS unfiltered)
What did I see? Get tired of: •  As many protocols as many solutions •  Hard to modify the existing ones •  No modularity •  Portability issues •  Configuration issues •  Unsupported/EoL tools •  No automation at all •  It is just hard, but it does not have to be! @xoreipeip
XFLTReaT The beast was born!
Tunnelling theory 101 / MTU @xoreipeip
What is XFLTReaT? XFLTReaT (say exfil-treat or exfiltrate) •  Tunnelling framework •  Open-source (will be released soon) •  Python based •  OOP •  Modular •  Multi client •  Plug and Play (at least as easy as it can be) •  Check functionality @xoreipeip
Easy, modular, plug & play •  Install: •  git clone & pip install •  edit config •  run •  Tunnels, encryption, authentication etc. are modular •  Plug and play: •  Copy new module into modules/, support files to support/ •  edit config •  run @xoreipeip
Framework, as it is You do not have to: •  Set up the routing •  Handle multiple users •  Create and set up an interface or interfaces •  Care about encryption, authentication or encoding You only have to: •  Package your packets into your protocol •  Implement protocol related things @xoreipeip
Check functionality •  Easy way to figure out, which protocol is not filtered on the network •  Automated approach: No deep knowledge is needed •  Client sends a challenge over the selected (or all) modules to the server •  If the server responses with the solution: •  We know that the server is up and running •  The specific module/protocol is working over the network •  Connection can be made @xoreipeip
One interface to rule them all @xoreipeip
Ease of development
Module tree @xoreipeip
Ease of use/development •  Only web traffic allowed? @xoreipeip
Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type X allowed? @xoreipeip
Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type X allowed? Copy ICMP module, change type 8 to X •  HTTPS allowed but only with TLS v1.2? @xoreipeip
Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type X allowed? Copy ICMP module, change type 8 to X •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  HTTP should work, but only with special header? @xoreipeip
Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type X allowed? Copy ICMP module, change type 8 to X •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  HTTP should work, but only with special header? Set the header in source •  Want to send data over text/SMS? @xoreipeip
Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type X allowed? Copy ICMP module, change type 8 to X •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  HTTP should work, but only with special header? Set the header in source •  Want to send data over text/SMS? Handle connection with your phone from a module •  Special authentication over HTTP proxy? @xoreipeip
Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type X allowed? Copy ICMP module, change type 8 to X •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  HTTP should work, but only with special header? Set the header in source •  Want to send data over text/SMS? Handle connection with your phone from a module •  Special authentication over HTTP proxy? Implement the auth, change the config •  PROTIP: just use the source! @xoreipeip
DEMO
Offense •  Bypass basic obstacles •  Specific ports are unfiltered (TCP / UDP) •  DNS allowed •  ICMP allowed •  Bypass not that basic obstacles •  Specific protocol allowed (IPS or any other active device in place) •  Special authentication required •  Exfiltrate information from internal networks •  Get unfiltered internet access @xoreipeip
Defense for companies Check your network settings •  Check functionality •  Try to exfiltrate data – check whether your active network device can catch it Captive portals •  Drop all packets that are addressed to external until not authenticated •  All DNS query should have the same response (the portal) @xoreipeip
Defense for companies No solution is 100% secure •  Do not route your network to the internet •  Disable all traffic between the internet and internal network •  Use HTTP Proxy and enforce it •  Whitelist ports (80 and 443, would you need anything else?) •  Blacklist websites (does not really help on XFLTReaT) •  DNS •  Filter external DNS queries if possible (let HTTP proxy do the resolving) @xoreipeip
Defense for companies No solution is 100% secure •  Do you have an inventory? (IP, owner, purpose, location) •  Do baselining (Use Netflow or Bro) •  Check relation between IPs •  What are the top talker source IPs (bytes, packets, flows)? •  What are the top destination IPs (bytes, packets, flows)? •  Any unusual activity should generate an alert/be blocked when you are done @xoreipeip
TODO •  Python 2.x and 3.x support •  Multi OS support •  More modules (DNS is the next one) •  Encryption and authentication modules •  Adding more comments to the code @xoreipeip
Release •  Will be released on Github •  http://xfltreat.info •  It takes some little more time, because: •  Adding comments •  More modules •  Bug fixes •  etc. @xoreipeip
Q&A - Thank you for your attention Balazs Bucsay / @xoreipeip
Office Locations Europe Manchester - Head Office Amsterdam Basingstoke Cambridge Copenhagen Cheltenham Delft Edinburgh Glasgow The Hague Leatherhead Leeds London Madrid Malmö Milton Keynes Munich Vilnius Zurich North America Atlanta, GA Austin, TX Boston, MA Campbell, CA Chicago, IL Kitchener, ON New York, NY San Francisco, CA Seattle, WA Sunnyvale, CA Toronto, ON Asia-Pacific Singapore Sydney Middle East Dubai

Recommended

Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container PipelineSalesforce Engineering
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)Mike Felch
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCanSecWest
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 

Recommended

Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container PipelineSalesforce Engineering
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)Mike Felch
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCanSecWest
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOpsSalesforce Engineering
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014Leonardo Nve Egea
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
 
Tools kali
Tools kaliTools kali
Tools kaliketban0702
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpnantitree
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
1000 to 0
1000 to 01000 to 0
1000 to 0Sunny Neo
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装inaz2
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
About linux-english
About linux-englishAbout linux-english
About linux-englishShota Ito
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Breaking SSL using time synchronisation attacks
Breaking SSL using time synchronisation attacksBreaking SSL using time synchronisation attacks
Breaking SSL using time synchronisation attacksjselvi
 
Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Vinci Rufus
 
Twisted: a quick introduction
Twisted: a quick introductionTwisted: a quick introduction
Twisted: a quick introductionRobert Coup
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparationManich Koomsusi
 
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)Balazs Bucsay
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)Balazs Bucsay
 

More Related Content

What's hot

Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014Leonardo Nve Egea
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpnantitree
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装inaz2
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
About linux-english
About linux-englishAbout linux-english
About linux-englishShota Ito
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Breaking SSL using time synchronisation attacks
Breaking SSL using time synchronisation attacksBreaking SSL using time synchronisation attacks
Breaking SSL using time synchronisation attacksjselvi
 
Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Vinci Rufus
 
Twisted: a quick introduction
Twisted: a quick introductionTwisted: a quick introduction
Twisted: a quick introductionRobert Coup
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 

What's hot (20)

Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
 
Tools kali
Tools kaliTools kali
Tools kali
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpn
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
About linux-english
About linux-englishAbout linux-english
About linux-english
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Breaking SSL using time synchronisation attacks
Breaking SSL using time synchronisation attacksBreaking SSL using time synchronisation attacks
Breaking SSL using time synchronisation attacks
 
Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2
 
Twisted: a quick introduction
Twisted: a quick introductionTwisted: a quick introduction
Twisted: a quick introduction
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
 

Similar to XFLTReat: a new dimension in tunnelling

XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)Balazs Bucsay
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)Balazs Bucsay
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)Balazs Bucsay
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)Balazs Bucsay
 
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnelhacktivity
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?hackersuli
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
WHIP WebRTC Broadcasting @ FOSDEM 2022
WHIP WebRTC Broadcasting @ FOSDEM 2022WHIP WebRTC Broadcasting @ FOSDEM 2022
WHIP WebRTC Broadcasting @ FOSDEM 2022Lorenzo Miniero
 
Php internal architecture
Php internal architecturePhp internal architecture
Php internal architectureElizabeth Smith
 
Messaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkMessaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkTomas Doran
 
Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019Lorenzo Miniero
 
Dataflow Management From Edge to Core with Apache NiFi
Dataflow Management From Edge to Core with Apache NiFiDataflow Management From Edge to Core with Apache NiFi
Dataflow Management From Edge to Core with Apache NiFiDataWorks Summit
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testingTomas Doran
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testingTomas Doran
 
HTTP2 in action - Piet Van Dongen - Codemotion Amsterdam 2017
HTTP2 in action - Piet Van Dongen - Codemotion Amsterdam 2017HTTP2 in action - Piet Van Dongen - Codemotion Amsterdam 2017
HTTP2 in action - Piet Van Dongen - Codemotion Amsterdam 2017Codemotion
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
 

Similar to XFLTReat: a new dimension in tunnelling (20)

XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The Things
 
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
 
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnel
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
What's up with HTTP?
What's up with HTTP?What's up with HTTP?
What's up with HTTP?
 
SPDY and HTTP/2
SPDY and HTTP/2SPDY and HTTP/2
SPDY and HTTP/2
 
WHIP WebRTC Broadcasting @ FOSDEM 2022
WHIP WebRTC Broadcasting @ FOSDEM 2022WHIP WebRTC Broadcasting @ FOSDEM 2022
WHIP WebRTC Broadcasting @ FOSDEM 2022
 
Php internal architecture
Php internal architecturePhp internal architecture
Php internal architecture
 
Messaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkMessaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new framework
 
How do event loops work in Python?
How do event loops work in Python?How do event loops work in Python?
How do event loops work in Python?
 
Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019
 
Dataflow Management From Edge to Core with Apache NiFi
Dataflow Management From Edge to Core with Apache NiFiDataflow Management From Edge to Core with Apache NiFi
Dataflow Management From Edge to Core with Apache NiFi
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testing
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testing
 
HTTP2 in action - Piet Van Dongen - Codemotion Amsterdam 2017
HTTP2 in action - Piet Van Dongen - Codemotion Amsterdam 2017HTTP2 in action - Piet Van Dongen - Codemotion Amsterdam 2017
HTTP2 in action - Piet Van Dongen - Codemotion Amsterdam 2017
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 

More from Shakacon

Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assemblyShakacon
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can youShakacon
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back togetherShakacon
 
Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEPwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEShakacon
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Shakacon
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeShakacon
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelShakacon
 
Silent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkSilent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkShakacon
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherShakacon
 
Sad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving MalwareSad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving MalwareShakacon
 
reductio [ad absurdum]
reductio [ad absurdum]reductio [ad absurdum]
reductio [ad absurdum]Shakacon
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresShakacon
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamShakacon
 
Swift Reversing by Ryan Stortz
Swift Reversing by Ryan StortzSwift Reversing by Ryan Stortz
Swift Reversing by Ryan StortzShakacon
 
Making a Scalable Automated Hacking System by Artem Dinaburg
Making a Scalable Automated Hacking System by Artem DinaburgMaking a Scalable Automated Hacking System by Artem Dinaburg
Making a Scalable Automated Hacking System by Artem DinaburgShakacon
 
Hunting Government Back Doors by Joseph Menn
Hunting Government Back Doors by Joseph MennHunting Government Back Doors by Joseph Menn
Hunting Government Back Doors by Joseph MennShakacon
 

More from Shakacon (20)

Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
 
Macdoored
MacdooredMacdoored
Macdoored
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can you
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back together
 
Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEPwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCE
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS
 
Shamoon
ShamoonShamoon
Shamoon
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts Bytecode
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android Kernel
 
Silent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkSilent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest Network
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI Catcher
 
Sad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving MalwareSad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving Malware
 
reductio [ad absurdum]
reductio [ad absurdum]reductio [ad absurdum]
reductio [ad absurdum]
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant Ollam
 
Swift Reversing by Ryan Stortz
Swift Reversing by Ryan StortzSwift Reversing by Ryan Stortz
Swift Reversing by Ryan Stortz
 
Making a Scalable Automated Hacking System by Artem Dinaburg
Making a Scalable Automated Hacking System by Artem DinaburgMaking a Scalable Automated Hacking System by Artem Dinaburg
Making a Scalable Automated Hacking System by Artem Dinaburg
 
Hunting Government Back Doors by Joseph Menn
Hunting Government Back Doors by Joseph MennHunting Government Back Doors by Joseph Menn
Hunting Government Back Doors by Joseph Menn
 

Recently uploaded

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

XFLTReat: a new dimension in tunnelling

  • 1. XFLTReaT: a new dimension in tunnelling Balazs Bucsay / @xoreipeip Senior Security Consultant @ NCC Group
  • 2. Bio / Balazs Bucsay •  Hungarian hacker •  Senior Security Consultant @ NCC Group •  Strictly technical certificates: OSCE, OSCP, OSWP, GIAC GPEN, CREST CCT/2 •  Lots of experience in offensive security •  Started with ring0 debuggers and disassemblers in 2000 (13 years old) •  Major projects: •  GI John (2009) – Hacktivity •  Chw00t (2015) – PHDays, DeepSec, Hacktivity •  XFLTReaT (2017) – Shakacon ;) •  Twitter: @xoreipeip •  Linkedin: https://www.linkedin.com/in/bucsayb
  • 3. Presentations •  Talks around the world: •  Honolulu (HI) / Shakacon (returning speaker) •  Atlanta (GA) / Hacker Halted •  Moscow (RU) / PHDays •  Oslo (NO) / HackCon •  Vienna (AT) / DeepSec •  Budapest (HU) / Hacktivity •  London (UK) / Inf. Gov. & eDiscovery Summit •  There is some more space here… @xoreipeip
  • 7. Why would one use tunnels? •  Work VPN – to access the corporate internal network •  Hide real IP address •  Whistle-blowers/Journalists to communicate anonymously •  Torrent •  ISPs filtering some ports (secure IMAP, SMTPS, NetBIOS, …) •  Bypass corporate proxy policy •  Bypass captive portals!? •  What about you? @xoreipeip
  • 8. Have you done … tunnelling? Protocol Tool TCP @xoreipeip
  • 9. Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP @xoreipeip
  • 10. Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP @xoreipeip
  • 11. Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP Hans Ping Tunnel ICMPTx DNS @xoreipeip
  • 12. Have you done … tunnelling? Protocol Tool TCP OpenVPN Cisco AnyConnect UDP OpenVPN ICMP Hans Ping Tunnel ICMPTx DNS iodine DNSCat* Ozymandns HTTP CONNECT Proxifier Pure HTTP ? TLS v1.2 ? TLS v1.2 with Kerberos auth ? @xoreipeip
  • 13. Oh no! I forgot to set up my OpenVPN on port 443 (Port TCP/443 unfiltered) Two days on a ferry
  • 14. 10 hour flight to Japan (ICMP unfiltered)
  • 15. At the airport (DNS unfiltered)
  • 16. What did I see? Get tired of: •  As many protocols as many solutions •  Hard to modify the existing ones •  No modularity •  Portability issues •  Configuration issues •  Unsupported/EoL tools •  No automation at all •  It is just hard, but it does not have to be! @xoreipeip
  • 18. Tunnelling theory 101 / MTU @xoreipeip
  • 19. What is XFLTReaT? XFLTReaT (say exfil-treat or exfiltrate) •  Tunnelling framework •  Open-source (will be released soon) •  Python based •  OOP •  Modular •  Multi client •  Plug and Play (at least as easy as it can be) •  Check functionality @xoreipeip
  • 20. Easy, modular, plug & play •  Install: •  git clone & pip install •  edit config •  run •  Tunnels, encryption, authentication etc. are modular •  Plug and play: •  Copy new module into modules/, support files to support/ •  edit config •  run @xoreipeip
  • 21. Framework, as it is You do not have to: •  Set up the routing •  Handle multiple users •  Create and set up an interface or interfaces •  Care about encryption, authentication or encoding You only have to: •  Package your packets into your protocol •  Implement protocol related things @xoreipeip
  • 22. Check functionality •  Easy way to figure out, which protocol is not filtered on the network •  Automated approach: No deep knowledge is needed •  Client sends a challenge over the selected (or all) modules to the server •  If the server responses with the solution: •  We know that the server is up and running •  The specific module/protocol is working over the network •  Connection can be made @xoreipeip
  • 23. One interface to rule them all @xoreipeip
  • 26. Ease of use/development •  Only web traffic allowed? @xoreipeip
  • 27. Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type X allowed? @xoreipeip
  • 28. Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type X allowed? Copy ICMP module, change type 8 to X •  HTTPS allowed but only with TLS v1.2? @xoreipeip
  • 29. Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type X allowed? Copy ICMP module, change type 8 to X •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  HTTP should work, but only with special header? @xoreipeip
  • 30. Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type X allowed? Copy ICMP module, change type 8 to X •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  HTTP should work, but only with special header? Set the header in source •  Want to send data over text/SMS? @xoreipeip
  • 31. Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type X allowed? Copy ICMP module, change type 8 to X •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  HTTP should work, but only with special header? Set the header in source •  Want to send data over text/SMS? Handle connection with your phone from a module •  Special authentication over HTTP proxy? @xoreipeip
  • 32. Ease of use/development •  Only web traffic allowed? Set your server on port TCP/80 •  Only ICMP type X allowed? Copy ICMP module, change type 8 to X •  HTTPS allowed but only with TLS v1.2? Copy TLS module, set it to 1.2 only •  HTTP should work, but only with special header? Set the header in source •  Want to send data over text/SMS? Handle connection with your phone from a module •  Special authentication over HTTP proxy? Implement the auth, change the config •  PROTIP: just use the source! @xoreipeip
  • 33. DEMO
  • 34. Offense •  Bypass basic obstacles •  Specific ports are unfiltered (TCP / UDP) •  DNS allowed •  ICMP allowed •  Bypass not that basic obstacles •  Specific protocol allowed (IPS or any other active device in place) •  Special authentication required •  Exfiltrate information from internal networks •  Get unfiltered internet access @xoreipeip
  • 35. Defense for companies Check your network settings •  Check functionality •  Try to exfiltrate data – check whether your active network device can catch it Captive portals •  Drop all packets that are addressed to external until not authenticated •  All DNS query should have the same response (the portal) @xoreipeip
  • 36. Defense for companies No solution is 100% secure •  Do not route your network to the internet •  Disable all traffic between the internet and internal network •  Use HTTP Proxy and enforce it •  Whitelist ports (80 and 443, would you need anything else?) •  Blacklist websites (does not really help on XFLTReaT) •  DNS •  Filter external DNS queries if possible (let HTTP proxy do the resolving) @xoreipeip
  • 37. Defense for companies No solution is 100% secure •  Do you have an inventory? (IP, owner, purpose, location) •  Do baselining (Use Netflow or Bro) •  Check relation between IPs •  What are the top talker source IPs (bytes, packets, flows)? •  What are the top destination IPs (bytes, packets, flows)? •  Any unusual activity should generate an alert/be blocked when you are done @xoreipeip
  • 38. TODO •  Python 2.x and 3.x support •  Multi OS support •  More modules (DNS is the next one) •  Encryption and authentication modules •  Adding more comments to the code @xoreipeip
  • 39. Release •  Will be released on Github •  http://xfltreat.info •  It takes some little more time, because: •  Adding comments •  More modules •  Bug fixes •  etc. @xoreipeip
  • 40. Q&A - Thank you for your attention Balazs Bucsay / @xoreipeip
  • 41. Office Locations Europe Manchester - Head Office Amsterdam Basingstoke Cambridge Copenhagen Cheltenham Delft Edinburgh Glasgow The Hague Leatherhead Leeds London Madrid Malmö Milton Keynes Munich Vilnius Zurich North America Atlanta, GA Austin, TX Boston, MA Campbell, CA Chicago, IL Kitchener, ON New York, NY San Francisco, CA Seattle, WA Sunnyvale, CA Toronto, ON Asia-Pacific Singapore Sydney Middle East Dubai