BSidesROC 2016 - Nick Piazza - Fault Tolerant Command and Control Networks

FAULT TOLERANT COMMAND AND CONTROL NETWORKS

NICK PIAZZA

AGENDA

AGENDA

▸ Introduction

▸ Botnet Overview & History

▸ C2 Channels

▸ IRC C2

▸ IRC Inspired C2 Network

▸ Project Goals

▸ Demo

▸ Questions

▸ Special Thanks & References

2

INTRODUCTION

WHOAMI

▸ 4th Year BS/MS Computing Security RIT

▸ Former Tech-Lead and VP of RIT’s Competitive Cybersecurity Club (RC3)

▸ Captain of RIT’s 2015 CPTC Team

▸ Giving my first talk ever!!!!

3

INTRODUCTION

WHAT’S IN SCOPE

▸ Command and Control (C2) Servers

▸ C2 Channels

▸ Server-to-server communication

▸ Client check-in

4

INTRODUCTION

WHAT’S NOT IN SCOPE

▸ Clients in general

▸ Clients managing callback domains

▸ Secure storage of information on clients

▸ Reverse engineering to find callback locations

5

INTRODUCTION

WHAT’S NOT IN SCOPE

6

BOTNET OVERVIEW & HISTORY


WHAT ARE BOTNETS

▸ “A botnet is a number of Internet-connected computers communicating with other similar machines in which components located on networked computers communicate and coordinate their actions by command and control (C&C) or by passing messages to one another (C&C might be built into the botnet as P2P).” - Wikipedia

8


WHAT ARE BOTNETS

▸ In other words, a network of computers that talk to each other or a server, which gives them instructions

▸ Malicious or benign

▸ Malicious: Zeus, the infamous banking malware

▸ Benign: http://setiathome.berkeley.edu/

9


WHAT ARE USES FOR BOTNETS

▸ DDoS attacks

▸ Email spamming

▸ Seeding torrents from leaked documents

▸ Botnet as a Service (BaaS)

10


BRIEF BOTNET HISTORY

▸ Bagel, 2004 - 230,000 nodes

▸ Conficker, 2008 - Millions of nodes w/ portion in botnet

▸ Zeus, 2010 - 3,000,000+ in the US

11


BOTNET TERMS

▸ Bot Master

▸ C2 Server

▸ Relay Node / Stepping Stone

▸ Bot / Zombie

12


BOT MASTER

C2 SERVER

C2 SERVER

C2 SERVER

RELAY NODE

RELAY NODE

RELAY NODE

RELAY NODE

CLIENT-SERVER ARCHITECTURE

13

BOTBOT BOT BOT BOT BOT BOT BOT BOT


BOT MASTER

C2 SERVER

C2 SERVER

C2 SERVER

RELAY NODE

RELAY NODE

RELAY NODE

RELAY NODE


14



BOT / ZOMBIE

▸ The malware that you have installed on the target

▸ Ideally in large numbers

▸ Will execute commands given by the C2 servers

15


BOT MASTER

C2 SERVER

C2 SERVER

C2 SERVER

RELAY NODE

RELAY NODE

RELAY NODE

RELAY NODE


16



RELAY NODE / STEPPING STONE

▸ Forwards connections from bots to C2 servers

▸ Protects the real locations of the C2 servers

▸ Could be as simple as a SOCKS proxy

▸ Could be as complex as rotating through known domains

▸ Your bots are tolerant to losing these connections

17


BOT MASTER

C2 SERVER

C2 SERVER

C2 SERVER

RELAY NODE

RELAY NODE

RELAY NODE

RELAY NODE


18



C2 SERVER

▸ Holds commands from bot master

▸ Accepts connections from bots and dispenses commands

▸ Holds the files that will be downloaded by the bots

▸ A concept of C2 channels

▸ Different methods of delivering commands

▸ Can have different channels in the same network

19


BOT MASTER

C2 SERVER

C2 SERVER

C2 SERVER

RELAY NODE

RELAY NODE

RELAY NODE

RELAY NODE


20



BOT MASTER

▸ The person who controls all of the bots

▸ Inserts commands into C2 servers

▸ Can divide bots into logical groups

▸ Can specify what the bots will do

▸ Limited by the commands and intention of the botnet

21

C2 CHANNELS

C2 CHANNELS

C2 CHANNELS

23

▸ A means of transmitting information to bots

▸ Can be done through many different protocols

▸ Attempt to hide in plain sight

▸ Use whatever traffic looks normal

C2 CHANNELS

COMMON PROTOCOLS

▸ IRC

▸ HTTP

▸ HTTPS

▸ ICMP

▸ SSH

24

IRC C2

IRC C2

IRC C2

▸ Clients connect to an IRC server

▸ Clients connect to IRC channels to wait for messages from the master

▸ Relies on the IRC infrastructure to deliver the messages

▸ Change channels every so often

26

IRC C2

ADVANTAGES TO USING IRC

▸ Easy setup

▸ Easy command distribution

▸ Send commands in plain English

27

IRC C2

DISADVANTAGES TO USING IRC

▸ Commands in plain English

▸ Unencrypted communications to the IRC server

▸ If bots do not validate user it is easy to RE and inject commands

▸ Relatively easily hijackable

28

IRC INSPIRED C2 NETWORK



▸ Not using IRC

▸ Build a network of C2 servers close to how IRC operates

▸ IRC works as a spanning tree

30


WHY NOT USE IRC’S SPANNING TREE?

▸ The spanning tree poses a redundancy problem

▸ Imagine if you lose a middle branch

▸ Causes network segmentation

▸ 2 sections become disjointed

31


IRC NETWORK MESSAGE PROPAGATION

32

SERVER 2 SERVER 3

SERVER 5 SERVER 6SERVER 4

SERVER 1


IRC MESSAGE PROPAGATION

33

MESSAGE

SERVER 2 SERVER 3


SERVER 1



34

MESSAGE MESSAGE

SERVER 2 SERVER 3


SERVER 1



35

MESSAGE MESSAGE

MESSAGE

SERVER 2 SERVER 3


SERVER 1



36

MESSAGE MESSAGE

MESSAGE MESSAGEMESSAGE

SERVER 2 SERVER 3


SERVER 1



37

MESSAGE MESSAGE


MESSAGE

SERVER 2 SERVER 3


SERVER 1



38

MESSAGE MESSAGE


MESSAGE

SERVER 2 SERVER 3


SERVER 1


IRC NETWORK DIAGRAM

39

SERVER 2 SERVER 3


SERVER 1


IRC NETWORK DIAGRAM

40

SERVER 2 SERVER 3


SERVER 1


IRC NETWORK DIAGRAM

41

SERVER 2 SERVER 3


SERVER 1


IRC NETWORK DIAGRAM

42

SERVER 2 SERVER 3


SERVER 1


IRC NETWORK DIAGRAM

43

SERVER 2 SERVER 3


SERVER 1


IRC NETWORK DIAGRAM

44

SERVER 2 SERVER 3


SERVER 1


SOLUTION: PARTIAL MESH

▸ Take the concept of forwarding commands to servers

▸ Ensures that each server will have the same database

▸ If organized correctly, can be tolerant of mild to medium losses

▸ If somebody dismantles 85% of your network, it will be hard to ensure fault tolerance

▸ More practical and realistic than full mesh

45


DESIGN CHOICES

▸ Go is the language of choice

▸ Redundant messages are a problem

▸ Better than implementing a full P2P routing mechanism

▸ Could use BATMAN, but that’s hard with Go?

▸ Partial vs Full Information Chain

▸ Full would increase traffic size

46


ALGORITHM

▸ Server establishes connection with peer C2 server

▸ Command DB updated

▸ Server notifies all other peer servers

47


PEER SERVER CONNECTION

▸ Server contacts other server

▸ Servers validate each other’s authenticity

▸ Maintain comms at periodic interval or constant command channel

48


COMMAND DB UPDATED

▸ Could be done by the Bot Master manually

▸ Could be from an update from a peer server

▸ Server will silently ignore duplicate messages

▸ Server will then notify all other peers

49


SERVER TO SERVER UPDATES

▸ Server will update all other peers that it did not receive and update from

▸ Server will attach a partial information chain

▸ Each update contains a partial information chain

50


PARTIAL INFORMATION CHAIN

▸ Partial information chain contains IDs of each server that the update is being sent to

▸ If the ID is listed as a peer it will not notify that server

▸ Remember that it ignores the updates that it has already received

51


C2 NETWORK: 2 NODES

52

SERVER 2SERVER 1


C2 NETWORK: 2 NODES

53

SERVER 2SERVER 1

2


C2 NETWORK: 2 NODES

54

SERVER 2SERVER 1

2 2


C2 NETWORK: 2 NODES

55

SERVER 2SERVER 1

2 2


C2 NETWORK: 3 NODES

56

SERVER 3SERVER 1 SERVER 2


C2 NETWORK: 3 NODES

57


2


C2 NETWORK: 3 NODES

58


2 3


C2 NETWORK: 3 NODES

59


3 32


C2 NETWORK: 3 NODES

60


3 32


C2 NETWORK: 3 NODES

61


SERVER 4


C2 NETWORK: 3 NODES

62


SERVER 4

2


C2 NETWORK: 3 NODES

63


SERVER 4

2

3, 4


C2 NETWORK: 3 NODES

64


SERVER 4

2

3, 4

3, 4

3, 4


C2 NETWORK: 3 NODES

65


SERVER 4

2

3, 4

3, 4

3, 4


C2 NETWORK: 6 NODES

66

SERVER 2 SERVER 3


SERVER 1


C2 NETWORK: 6 NODES

67

SERVER 2 SERVER 3


SERVER 1

2


C2 NETWORK: 6 NODES

68

SERVER 2 SERVER 3


SERVER 1

1, 2

3, 5


C2 NETWORK: 6 NODES

69

SERVER 2 SERVER 3


SERVER 1

2

3, 5

4, 6

6


C2 NETWORK: 6 NODES

70

SERVER 2 SERVER 3


SERVER 1

2

3, 5 6

4, 64, 6 4, 6

6


C2 NETWORK: 6 NODES

71

SERVER 2 SERVER 3


SERVER 1

2

3, 5 6

4, 64, 6 4, 6

6

IRC INSPIRED C2

WHERE DOES THE FAULT TOLERANCE COME IN?

▸ The fault tolerance is a combination of things

▸ Server command DB updates and synchronization

▸ Clients having a chain of domains to contact in the C2 network

▸ Clients have the ability to contact any server in the network to receive commands

72

PROJECT GOALS

PROJECT GOALS

SHORT TERM GOALS

▸ Server accepts communications from clients

▸ Default channel placement. Only 1 channel support now :(

▸ Server responds to command request for client

▸ Database replication is supported by default

74

PROJECT GOALS

LONG TERM GOALS

▸ TLS Cert generation and validation

▸ Full forwarding and database replication

▸ Web Administration Panel

▸ Dispense modules to clients

▸ HTTP/HTTPS C2

▸ Potential framework for automated deployment

75

PROJECT GOALS

IMPROVEMENTS

▸ Things that definitely need to be changed

▸ Using and actual database rather than data types

▸ Proper client and server ID differences

76

DEMO TIME

QUESTIONS?

SPECIAL THANKS AND REFERENCES

SPECIAL THANKS & REFERENCES

SPECIAL THANKS

▸ Jaime Geiger

▸ Encouraging me to do this talk

▸ Brad Campbell

▸ Introducing me to Golang

▸ Design assistance

▸ General concept checking

80

SPECIAL THANKS & REFERENCES

REFERENCES

▸ Definition of Botnet: https://en.wikipedia.org/wiki/Botnet

▸ Botnet Number Figures: https://en.wikipedia.org/wiki/Botnet#Historical_list_of_botnets

81

https://en.wikipedia.org/wiki/Botnet

https://en.wikipedia.org/wiki/Botnet#Historical_list_of_botnets

CONTACT

CONTACT INFO

▸ @orkulus

▸ [email protected]

82

BSidesROC 2016 - Nick Piazza - Fault Tolerant Command and Control Networks

Technology

Transcript of BSidesROC 2016 - Nick Piazza - Fault Tolerant Command and Control Networks