Domain Borrowing: Catch My C2 Traffic if You Can

Presented at Black Hat Asia 2021 Virtual, May 6, 2021, 12:30 p.m. (40 minutes).

For red teams, CDN is a good redirector and protector for their C2 traffic, especially with domain fronting. However, if there are HTTPS decryption devices in the network, domain fronting can be easily detected by comparing SNI and HOST.

This talk will present a new method to hide your C2 traffic with CDN to circumvent censorship. We will detail some tricks we found in some CDN implementations, and how we chain them together to “borrow” a domain and its valid HTTPS certificate to hide our C2 traffic, especially, when the SNI and HOST of our C2 traffic are the same. We named this method “Domain Borrowing”.

In addition, we will present a detection bypass demo against the Palo Alto PAN-OS, and release a C2 agent PoC to help your red team operations.

Presenters:

• Tianze Ding - Senior Security Researcher, Tencent
  Tianze Ding is a Senior Security Researcher in Tencent Security Xuanwu Lab. He is focusing on vulnerability research and offensive security research.
• Junyu Zhou - Senior Security Researcher, Tencent
  Junyu Zhou, Senior Security Researcher in Tencent Security Xuanwu Lab and CTF player from 0ops, focuses on red teaming and web application security. Junyu has been a speaker at HITB2018Dubai, ZeroNights2018, and Defcon 27.

Links:

• https://www.blackhat.com/asia-21/briefings/schedule/#domain-borrowing-catch-my-c2-traffic-if-you-can-22314

Similar Presentations:

• Red Team Summit 2019 / Abusing SNI: It is like domain fronting, but way better
• DEF CON 28 (2020) Virtual / Domain Fronting is Dead, Long Live Domain Fronting: Using TLS 1.3 to evade censors, bypass network defenses, and blend in with the noise
• CactusCon 12 (2024) / Command, Control, and memes: Cordyceps + ant = zombie