 Is it better? Oh, yeah, much better. Thank you so We're gonna talk about command and control through web hooks and That's going to be a big eyed lemur edition talk. I don't know why it is, but I like lemurs for some reason so The big words out of the way what we're trying to accomplish here We're talking about web hooks, but essentially from the tactical standpoint It's a red team and pentester challenge as Loran talk was talking about is when you're on site if you're in situation where You need to create command and control. It's a it's always a challenge especially in secure environments and The problem of outbound communication is that we're we're gonna try to solve a little bit We're gonna go over HTTP web hooks concept And we're gonna try to establish a synchronous one or two-way communication with C2 command and control over web hooks And but from strategic standpoint really what we're trying to do is meet the blue team at their map of the world They are operating in a certain way and all we have to do is just adapt and overcome and that's we're gonna try to do that We're gonna try to feed off the land and Maximize the retooling capability on site I Was introduced but essentially I have to say that my opinions are mine nobody else's and apparently Watson agrees with me, which is good So enough about me meet Misha the pentester real deal he likes grasshoppers He lives to eat them. He gets paid by grasshoppers and that's all he really cares about But really Misha's Day starts at nine o'clock, you know you plug in you get an IP. Hopefully you go through the motions Of course you use responder You know you get a domain admin and then for all intents and purposes Your job is done. And then all you have to do is just exfiltrate things and you know Go back to the hotel eat some lunch and you're done, right? Well almost and To Misha lunch is very popular. So, you know, he wants to get to his lunch as fast as possible but Before Misha can actually go to McDonald's and order his number six with the grasshoppers and a meal He has a job to do, you know, we're not going to concentrate on anything that he does internally before the Exfiltration we're going to talk about that specific topic here So 9 30 in the morning Misha has gotten the admin Misha has Probably gotten some of the data from from a company and tries to Get it out Get to his C2 or whatever the case may be. He's not able to do that, right? He's frustrated. What does he do? Essentially, you know, he's got lots of options, right? You know Kimberley says ain't nobody got time for that and you know, Misha likes that very much because Kimberley is really super cool So egress filtering, right? It's It's easy for pentester. There are so many things to do There is really no challenge here until you get to the point where all your Tunneling is is watched over Your DNS ICMP, you know, obviously you can shell out Outside, you know, you can't get web-based shell and you can't access the cloud drives All right, so you're prepared for it, right? Because no one does the blanket the egress filtering you can get to to your C2 through cloud-fronted domains Cloud-fronted domains are the ones that are basically, you know in a cloud and then, you know on providers That are accessible like AWS or whatnot. So a little doubt in Misha's mind, but you know, nothing to worry about This right you can get out, you know, some secure environments have You know configured in such a way that you've got proxies and domain fronting doesn't work for Misha because You know, everybody knows you can't get out to AWS from certain environments. So he's done, right? There is nothing he can do Blue team says Not really, you know, you've got no friends here. You're done. Misha go home Eat your lunch or order number six if you can afford it. But most of all just have a nice day That's Misha really frustrated at 10 o'clock, you know, haven't been able to get out anywhere and You know, it's you know, grasshoppers are distant memory for Misha at this moment He's losing his cool, you know, he really can't reach his C2, but he actually needs to do that So we're gonna try to help him do this Right here, you know, he's sort of spaced out a little bit. You know, he is not thinking straight So what we're trying for him to do is to think out of outside the box. What does that even mean? Well assess the situation look around you. What is available? What can you use? Being in this specific situation in this specific company, what can you do? And you are on developer Network, there are developers out there. For example, Misha hears that They're pushing some code here and there. They're using some things called Webhooks Misha doesn't know what webhooks are. So let's let's take a look at this, right? What those webhooks are before we move on further so webhooks So the old way that we check For what we send the request to web server and we check for a response We say, you know, every five seconds, we're gonna go out and say, hey, are you done finishing? You know doing what we're tasked you to do the web server and then we keep looping until we get the response So naturally, you know, web server is not really happy with us. So in some time We'll get the response and then server is Okay, until the next time we start start asking him questions stupid questions really So The web server Says, hey, you know what stop asking me. Why don't I tell you when I'm done? processing your request this is what the new way of doing webhooks really is you submit a Request for processing and when the processing is complete Web server just says, okay, we'll give me the link to post the response back to you Well, here's the link when you're done posted back to me No problem. Notify me when you're done and that way I'm gonna be sleeping and you're gonna be working And then you're gonna notify me when you're done most importantly, you're gonna do this in sync asynchronously. So no more You know aggravated servers and you're happy So what do we do? The link that we post in the web hook Is just an action and a method or some variation of the same and then on the client will listen to You know for that sort of request or response rather from the server And we have a callback that has you know, we'll launch in the background to listen for it So who uses webhooks? It's nice and therefore The developers are using them right continuous integration Heroku just yesterday came out with a new CI service for themselves, you know github slack Any notification services like Peter Judy data dog and you know internal teams as well So hey, Misha is excited. He likes to learn about new things webhooks seem to be cool And you know, Misha being Misha. He still likes grasshoppers right for some reason. So he thinks about lunch all the time and so, you know things Started to kind of click a little bit right with our help So we start looking at what can we do with these web web hooks while we're on the inside? There are developer sites. They're using web hooks, you know, can we can can we use? This technology or this trick for C2 contact, right? Yes, right and so Misha is a little bit more excited here. You know, he's got his thought process Started and so We're talking about C2 broker, right C2 C2 is somewhere on the other side of the planet How did we broker this information? So the traits of broker? C2 broker is it needs to be public right because you need to get out to a site that Is visible and then that site needs to post somewhere else that is also public. It needs to see a decent set of web hook functionality so we can be a little bit more flexible and Most importantly for the red teams is that we have to blend into the traffic, right? You know things that are being watched. So whatever we can do to maximize our chances to get out safely That's what we're gonna do and so in this case specific case with proxy content management in the middle We want to be on a you know on a good behavior with proxies. And so, you know, obviously Misha likes to be You know cool So he's gonna try to do that a little bit here Again good candidates for C2 broker How about CI services? How about back to github slack and all the other ones they're public They're visible. They have good API and so you can try right? So you're in scenarios. We're not allowed to connect outbound with web content proxies. We've established that You lost the tools on the inside you need to bring them in How do you do that? That may be one of your scenarios to use web hooks to do that Or if you're a little bit more advanced in this regard then you want to switch The direction of your C2 and have the C2 on the inside when you connect from the outside You can also do that. So let's build you a tool to get you go and Misha, right? So really nice Intermediate C2 broker is a cat site of you know of some sort and Misha does not really like cats but and Actually, Misha doesn't like cats with eight legs either But if Misha can take advantage of that site, then you know, he'll be happy Right so let's go ahead and evaluate a cat site a cat site is super popular developer friendly, obviously You know everybody uses it Has really awesome web hook API and is allowed, right? companies do allow traffic to to to github right github is specifically used for for development for DevOps, but also for infrastructure So essentially What what we're gonna do is? We're gonna use github to create a broker for our C2 So the test is going a task is going to be for Misha to to send a Request to github over web hook the web hook will reach out to the C2 that Misha has another side of the planet, right and The C2 will respond through github back into the presence that Misha has on the inside of the of the company the way it sort of works with With web hooks is is just that you store some notification on a github. There is a link that wakes up a Agent on the other side, and then you circle back in this case You still pull in some of the results But this is done manually because you know what you've tried to ask for and so you you can ask for for a response Github is easy to set up You know, it's helping us from the red team perspective To set up up to 20 web hooks. So thinking ahead You have a lot of functionality here Github is super rest friendly, you know Jason payloads everything is cool set up for us. So we're gonna go ahead and Choose what we are listening for and what we're gonna be listening for are the issues and issue comments on the other side and so Also, github is trying to secure developer communication storage and all that good stuff So we're gonna ride that wave, right? We're gonna use github security to to obscure our communication with our C2 and our client so This is octahook. It's a little shell that allows you to encode all these things that we talked about to to use the client and use the server and Proxy everything through issues and github communication to the C2 so Essentially from the blue team perspective all you're seeing is traffic to github traffic from github, right? It's all encrypted obviously because github makes it easy for us We just did LS dash L on our C2 which resides somewhere in Eastern Europe, maybe right, so This this concept is asynchronous we Execute a command on it on on the server on the on the C2 And then we manually pull the issue for completion, right? We send the status and say hey am I done am I done am I done we view the issue number 612 and 612 has a response for us, which is nice, right? It's it's a little shell here so What what is the delivery mechanism in this particular response every agent connecting to the C2 has the identifier and You know, it's a straight straight YAML over Jason to post the requests and get the responses out you use the the git app tokens to Authenticate yourself with github and it basically goes from there You you you can use app token you have some limits Things that you need to take care of with the github as far as throttling counters and you know posting limit, but for the most part it's all extensible here And on the issue side, this is what you see on the github, right? It's the the various types of requests that you are octa octahook supports You can do operating system execution. You can do content put which we're gonna look at a little bit later So and obviously the the C2 on the other side it says yep You know the issue is resolved go ahead and look at your responses. So essentially it's like a ticket, right? It's a ticket from your C2 to github to close the issue and notify Your agent on the inside to come back and check for it If you've got large payloads, you know, you can split them across multiple Comments on the same issue. So it's very convenient This is how the request looks like Essentially, you know, you can extend it if you want but in the proof of concept, this is just the LS and the type of execution is the process More configuration But really what needs to happen here is that Now if we're using webhooks over github for example in this case You can assume a role you can be a client and a server on each side of the things, right? So you can be listening to to The way github works by sending responses through webhook is that it's It's a broadcast, right? So if you created two webhooks that both of the webhooks are gonna get the Jason payload, right? And so you can play on this by Saying hey, you know, well if I can listen to both then I can be a server and a client Which makes it much easier for us because we can extend that even further You can do uploads through git Obviously for lost tools if Misha cannot get to his impact at library It's not on the customer side. You're working from a restricted Citrix environment. You know, you can pretty much reverse upload the library and and use it here and Every agent that hooks up through through github will have a directory with identifier and this is where you place the content in So again the roles you can be a client side and server side on either side of the of the execution the C2 can be a client You know your agent can be a client to threads Command execution and and and the web server itself that listens for for the payload Yeah, so, you know bring more tools on the inside is exactly the opposite of executing something on your C2 which makes it easier for you to bypass the the proxy and you know because github is is really allowed This is a little demo of how you would put a Content from C2 if you forgot to brought your toolkit back into the organization, right? You touch a file or in this case You will probably have a depot files on your C2 and then you would execute a put through git To to the local thing and then you can pull it down by download But it's still sort of Not real-time, right? It's you need to ask whether your upload has completed or whatnot, so it's It's a little You know not automated enough Let's see what we can do right to solve this issue Again coming back to what really web hooks are It's just a broadcast and if we use github as a central repository or broker of C2 Then you know we can achieve real-time communication, right? And so essentially what we do we assign two web hooks one that goes to the C2 server the other web web hook that goes to the clients to the Agent that resides in the company. So essentially by me executing LS-L on the C2 The request and the response is going to be coming in both ways so I can have You know I can I can wake up both sides at the same time by that broadcast and Those sides there are client will listen for a response the size of that that is a server is gonna listen for a request and So that makes it a little bit easier for us to achieve real-time proxy in via github by creating just two To endpoints it could be different IPs it could be different resources on the same Server if you want to but that's basically what you could do So let's see how that's done So we put we turn on real-time communication. We execute in LS-L Outside and we get a response back no polling nor asking for viewing issue for response And so that's that's basically the real-time shell that you can get from C2 back into into your environment You can reverse it right so you can say hey Misha. It's 12 30. I want to go to lunch I'm gonna change the roles flip the roles I'm gonna make my agent on the inside a C2 and I'm gonna make a client on my you know Point of presence across the world and that's how I would operate for the next day until I Get what I need from this company So really nice, right a good day worth of work Misha's happy, you know took him, you know a few hours to code it in But then you know, obviously Misha doesn't like to be alone. He likes to share things with a friend and That may also be possible because right now you can extend This is a proof of concept for forget right, but essentially if we know that continuous integration tools exist through various sites that are More than likely right now are allowed, right like Hiroko maybe Slack is a very popular thing So you can write a plug-in for how you want to communicate, you know file puts and execution of command between the two so Because you have every agent has its own configuration and ID you can create a logic Where you say I'm only listening for ID, you know XYZ coming from this particular machine so you can have a swarm capability where you are Broadcasting requests and getting responses from where you need to be so you can bring in a friend, right a different agent that would be Taken over your C2 capability and you can hand it off. You can change the role you can hand it off to another guy so Yeah, so simultaneously simultaneous execution on multiple agents may be possible Flipping C2 direction may be possible mitigation Web hooks are here to stay that's That's how developers will will go forward with this right that's easy it solves a lot of good issues for them and The sides that would implement that they're very popular and high-ranking on the content proxy will still exist Again, you know if you're managing your your your systems Well, why not just restrict the specific developer to go to a specific site that they need to on a github like a Repository even from this specific machine do not open up just blanket You know communication to github because that's what that's what's gonna happen here You can Take a hard look at why you need to use github. Do you want to have a? local repository of things that you need Local developers to use our infrastructure team to use Do you really need to go out to the social coding sites and and and do that and You know if you're into deep behavior expansion expect Inspection then There is no reason why you would need to have 612 Issues right opened up on zero line of comments and or code and github, right? That's a telltale sign of this particular for example example of communication, right? So see what your developers are doing why they're doing it and You know restrict them accordingly and from a red team We're gonna keep writing the social coding until you know this sort of Division happens because you know possibilities are endless with meeting software right now You know it's all gonna be you know widespread and Yeah, so essentially it's one of the things that can be done if you have any questions, you know