Domain Borrowing: Catch My C2 Traffic if You Can

Presented at Black Hat Asia 2021 Virtual, May 6, 2021, 12:30 p.m. (40 minutes)

For red teams, CDN is a good redirector and protector for their C2 traffic, especially with domain fronting. However, if there are HTTPS decryption devices in the network, domain fronting can be easily detected by comparing SNI and HOST.

This talk will present a new method to hide your C2 traffic with CDN to circumvent censorship. We will detail some tricks we found in some CDN implementations, and how we chain them together to “borrow” a domain and its valid HTTPS certificate to hide our C2 traffic, especially, when the SNI and HOST of our C2 traffic are the same. We named this method “Domain Borrowing”.

In addition, we will present a detection bypass demo against the Palo Alto PAN-OS, and release a C2 agent PoC to help your red team operations.


Presenters:

  • Junyu Zhou - Senior Security Researcher, Tencent
    Junyu Zhou, Senior Security Researcher in Tencent Security Xuanwu Lab and CTF player from 0ops, focuses on red teaming and web application security. Junyu has been a speaker at HITB2018Dubai, ZeroNights2018, and Defcon 27.
  • Tianze Ding - Senior Security Researcher, Tencent
    Tianze Ding is a Senior Security Researcher in Tencent Security Xuanwu Lab. He is focusing on vulnerability research and offensive security research.

Links:

Similar Presentations: