Designing & building a stealth C2 LDAP channel

Presented at DerbyCon 9.0 Finish Line (2019), Sept. 6, 2019, 2 p.m. (30 minutes)

When organizations choose to isolate networks, they often choose to implement technologies like private VLANs, use separate hosts and hypervisors and maybe even separate physical locations in order to guarantee the isolation. But what if these separated environments share the same Active Directory environment? It's not hard to come up with ideas why this might seem like a good idea, however, it also provides an opportunity to exchange data over LDAP. After all, even in non-Windows environments LDAP is still used as a central node within the network. During this talk I will go into detail about the process of designing & building a stealth C2 LDAP channel, which makes communication between different strictly firewalled network segments possible.

Presenters:

• Rindert Kramer
  I started back in 2011 as a system administrator, but came to the conclusion that breaking infrastructures was more fun than actually maintaining it. Since breaking stuff is not particularly appreciated when you're a sysadmin, I joined Fox-IT to use my Windows and Active Directory background to break stuff, which resulted in tools such as Invoke-ACLPwn, Invoke-Credentialphisher and more.

Links:

• https://infocon.org/cons/DerbyCon/DerbyCon 9 2019/Designing building a stealth C2 LDAP channel Rindert Kramer.mp4
• https://infocon.org/cons/DerbyCon/DerbyCon 9 2019/Designing building a stealth C2 LDAP channel Rindert Kramer.eng.srt (subtitles)
• https://www.youtube.com/watch?v=rZhCQmBqxjo

Similar Presentations:

• Black Hat USA 1999 / Security issues with implementing and deploying the LDAP directory system.
• DEF CON 8 (2000) / LDAP
• Black Hat USA 2016 / A Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream Land