Title: Red Team Hidden Skills

Recently, I returned to the blue team because I understand it. I occasionally played a guest role in connecting with customers and wrote some summary based on the characteristics of each device I came into contact with. From the vision of the Red Team, how to prevent the source from being traced.

---8sec.cc

1. Honeypot system

Browser usage note

Single Isolated Browser

Try to use browsers different from common browsers during penetration, such as: Chrome is commonly used, and use firefox for penetration.

Use traceless mode

firefox and Chrome have traceless mode. If you don’t know the target assets, try to turn on traceless mode for testing.

The above two methods can mainly avoid using Jsonp Callback, XSS and other vulnerabilities in honeypots to obtain the ID and information of the Red Team personnel.

However, the fingerprintjs library used in honeypots can determine whether the source visitors are the same person based on the specific identification of different IPs and different browsers, so using traceless mode and different browsers alone will also lead to the recognition of honeypots.

Anti-honey pot plugin

bypass Honeypot

AntiHoneypot - A Chrome extension that intercepts honeypot XSSI

Function

Intercept the XSSI request initiated in the page, block suspicious XSSI (Jsonp Callback, XSS, etc.) through feature identification, analyze and grab the inherent features of honeypots, identify the honeypot and intercept all requests to determine whether the fingerprintjs library exists and prompt, determine whether there are other related calls to determine whether there is a persistent identity. The relevant calls to determine whether the clipboard paste has been valued (to be further verified) clear all browser data functions of the current website (including all cached and stored) with one click to determine whether FileSystem is operated in the page (evercookies can be written here)

2. Prevent countermeasures

Server Springboard Machine

According to the traceability of information obtained by various companies, some of the reasons for eliminating honeypots is that VPS is beaten, and routinely being taken down may be that the Red Team personnel lack understanding of Linux/Windows operation and maintenance.

For example, using Docker to build a vulnerable environment is escaped.

Use a one-click environment to build default program default passwords (phpmyadmin, BT/pma vulnerabilities, information leakage vulnerabilities)

nmap's interactive execution command find suid bit escalation, etc.

Server installation application/management

There must be targeted restrictions for installing different applications, iptables and remote login limit login sources, and the number of bursts. It is recommended to install and use software such as CS and do not give 777 permissions. This time there are cases of counter-promotion of rights.

Virtual machine running software

In the widely circulated counter-cases, there was a situation where the bundled horse/white and black use of the Blue Team VPN installation package caused the Red Team personnel to go online. Therefore, if you want to download/install targets such as finance (IE control), VPN, etc. try to operate in the virtual machine as much as possible, roll back the image after each different work/project, and make a backup when the virtual machine network agent configuration is completed.

3. Information hiding

Hidden mobile phone number

Alibaba Small Account has now banned registration and application, and it is estimated that it will be closed in a while. During the regular penetration, you can choose to purchase SMS cards, use a code-receiving platform, use an Internet phone to make calls or buy a real-name card. It is best to achieve physical isolation from daily life.

Alipay

Alipay has had a problem before. If you enable the online merchant bank, you can directly see the name of the transfer object with three characters. If it is a two characters, you can directly use the Alipay transfer function to guess the name based on other information.

WeChat

WeChat is also some places where ids are leaked. Turn off mobile phone search, add friends in WeChat group, only enable QR code to add friends, and only allow viewing of circles of friends within 3 days. Ask your friends to make a fake name as much as possible. For example: Zhang xx Li xx

QQ

The same as WeChat, close the space non-friend access, access date restrictions, photo restrictions, photo wall restrictions, and game display. Ask your friends to make a fake name as much as possible. For example: Zhang xx Li xx, I had this problem before with QQ, and used the notes between friends to leak my real name.

https://zhuanlan.zhihu.com/p/95525409

qq Get real names of common friends

https://github.com/anntsmart/QQ

Although it can no longer be used, it does not mean that no relevant interfaces have been leaked. For example, if you log in to qq in the previous t.qq.com, you can log in directly without any security verification and obtain the QQ sealey

Network ID Hiding

Try to use some regular characters for common network IDs, such as: Brother Pants. This kind of news figure.

The real name is hidden/misleading

Ask your friend to make a fake name as much as possible. For example: Zhang xx Li xx, I had this problem before with QQ, and used the notes between friends to leak my real name.

Because there will only be more and more information in the social work library, spending money to hide is purely an ostrich, so you can only hide your true information in various places, such as taking out/express using fake names + small accounts. Register identity information using information generated online or the source you know.

4. Network Hiding

The network hiding needs to be emphasized, the differences between various proxy methods and what is suitable for use under what circumstances.

SS/V2

Advantages

Connection traffic is encrypted/obfuscated. If you use kcp, you can simulate WeChat video traffic.

Disadvantages

Because Socks5 is used, it can only proxy tcp traffic, icmp/udp cannot proxy, and it is easy to cause leakage due to client forwarding performance problems.

VPN l2tp/pptp

Advantages

The traditional dedicated line proxy mode supports global proxy for various systems. The possibility of setting the key to be cracked is not high. The proxy can manually set the route to determine whether to access different addresses and go to different routes. You can set 0.0.0.0 to go to the full protocol of VPN. Simple to build openvpn/SoftEtherVPN

Linux construction:

https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/README-zh.md

Disadvantages

When your network is unstable, the background will easily fall off directly, and the prompt is very short, so it is easy to run naked directly. It is recommended that only port 1723 is allowed to go out when the router is restricted, so that if it is disconnected, it will not be able to leave the network directly. Until you connect to vpn. All l2TP traffic in domestic networks can be decrypted.

sslvpn

Product List:

Advantages

The SSL protocol is mainly composed of the SSL recording protocol and the handshake protocol, which together provide authentication, encryption and tamper-proof functions for application access connections. Traffic can be encrypted.

Disadvantages

SSL vpn is limited to web browser applications and cannot be brought with some protocols.

5. Development and application hidden

Develop and compile desktop users

During the process of compiling the software, it is recommended to use administrator users to compile in the virtual machine. If the user name is leaked after the C#/C is compiled, the user name will be leaked, which will cause the ID information to be associated with platforms such as Weibu.

PDB files: What every developer must know

Github/Blog/WeChat Official Account Article

Also, try to use another id from the Github/Blog/WX article to concentrate the search results or information that can be obtained in the false information constructed previously. Minimize the harm of features leaking personal information due to open codes.

6. Network device traffic confusion

CS traffic confusion

Use Malleable-C2 to obfuscate CS traffic, cooperate with the domain front to hide the backend IP, and replace the default CS certificate.

Package padded bytes

In viewing the traffic of some waf devices, it is learned that due to the functional limitations of waf, it will not record large packages for large packages. If you think the package will trigger rules, you can first fill in the body with some garbage characters. In this way, the real matching content cannot be seen on the hard waf, and it can also mislead the blue team to determine whether it is a business. (No full-flow device)

Packet confusion low risk alarm

In devices such as Aisa/Tianyan, if there is malicious content in your package, you can fill in some weak password features/plain text password login and other alarms to cover high-risk alarms, which will make the device monitor relax its vigilance and increase the time cost of subsequent traceability attack vulnerabilities.

Host confusion

When a confusing HOST is found during the test of waf, waf can detect the pre-NAT address. If you can understand some IP addresses of the target intranet, you can use HOST obfuscation to let the waf monitors determine that the pre-NAT address is the address of the intranet device. This can also guide the other party to respond to a secure server and increase the other party's time cost.

Xff header confusion

Usually xff header forgery is used to bypass web login IP restrictions, but in some complex intranet cases, security devices will also use xff headers to judge the attack's outermost attack IP and then block it. This can be replaced during the attack process, or add xff headers to confuse the other party's monitoring personnel by themselves. Or add xff before cdn, and then let cdn continuously superimpose xff. After viewing the addition of xff in waf, I successfully identified the attack ip as 127.0.0.1.

Flow card

In order to prevent traceability in some red team projects, it is best to use traffic cards for penetration as much as possible. Some traffic cards will jump to cities, which is very good. Including the cards I am using now, the IP judgment is basically China, and even the province will not come out. This is not to mention that the blue team is positioned based on the commonly used IP locations.

Cobalt strike DNS features

Usually the characteristics of DNS are regularly initiated to black domain names (if not enabled)

In this case, it is quite difficult to determine the DNS characteristics, but if you want to check it, you can check DNS-type:1 on Tianyan

Record A:

The characteristics are more obvious after enabling DNS-txt:

DNS-Type can find records of txt type, search for dns-type:16 in Tianyan. If there is a record of txt, it can be temporarily judged as a DNS horse of CS with a large number of xxx.16-digital.domain format. However, after the requests for the 3.14 version of CCS are encrypted, I haven't seen the encryption key yet. It hasn't been solved yet.

The characteristic of executing commands is post.