Presented at
DeepSec 2017 „Science First!“,
Unknown date/time
(Unknown duration).
This presentation will sum up how to do tunnelling with different protocols and will feature different perspectives in detail. For example, companies are fighting hard to block exfiltration from their network: They use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. During this presentation we'll show you some mitigation and bypass techniques, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.
Our new tool XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter. It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customised on all traffic, and it is also worth mentioning that the framework was designed to be easy to configure, use and develop. In case there is a need to send packets over ICMP type 0 or HTTPS TLS v1.2 with a special header, then this can be done in a matter of minutes, instead of developing a new tool from scratch. The potential use (or abuse) cases are plentiful, such as bypassing network restrictions of an ISP, the proxy of a workplace or obtaining Internet connectivity through bypassing captive portals in the middle of the Atlantic Ocean or at an altitude of 33000ft on an airplane.
This framework is not just a tool; it unites different technologies in the field of tunnelling. While we needed to use different tunnels and VPNs for different protocols in the past, like OpenVPN for TCP and UDP, ptunnel for ICMP or iodined for DNS tunnelling, this changes now: After taking a look at these tools it was easy to see some commonality. All of them are doing the same things only the means of communication are different. We simplified the whole process and created a framework that is responsible for everything but the communication itself, we rethought the old way of tunnelling and tried to give something new to the community. After the initial setup the framework takes care of everything. With the check functionality we can even find out, which module can be used on the network, so there is no need for any low-level packet fu and hassle. I guarantee that you won't be disappointed with the tool and the talk, actually you will be an open-source tool richer.
Presenters:
-
Balazs Bucsay
- NCC Group
Balazs Bucsay (@xoreipeip) is a Senior Security Consultant at NCC Group in the United Kingdom who does research and penetration testing for various companies. He has presented at many conferences around the world including Honolulu, Atlanta, London, Oslo, Moscow, and Vienna on multiple advanced topics relating to the Linux kernel, NFC and Windows security. Moreover he has multiple certifications (OSCE, OSCP, OSWP, GIAC GPEN) related to penetration testing, exploit writing and other low-level topics; and has degrees in Mathematics and Computer Science. Balazs thinks that sharing knowledge is one of the most important things in life, so he always shares his experience and knowledge with his colleagues and friends. Because of his passion for technology, he starts his second shift in the evenings, right after work to do further research.
Links:
Similar Presentations: