Escaping Restricted Environments and Bypassing DLP
I recently completed a “Purple Team” engagement (where a Red team works with a Blue team to demonstrate techniques and develop detections for them). In the initial stages of the assessment, I was issued an employee laptop with the standard corporate image. I was given an overview of the network rules in place, which included proxy and inspection of all outbound traffic. Sure enough, after copying over my favorite Remote Administration Tool (Pupy), HTTPS command and control (C2) wasn’t working. The proxy required authentication, so my rogue Pupy binary was unable to authenticate and escape the network through the proxy. Looking for another way out, I pulled up a command prompt and was able to `nslookup` to arbitrary DNS servers. Time to pull out the slow, but faithful DNS C2.
Having some type of C2 is good; we can now interact with the tool, but DNS is a very slow and very loud way to run an interactive tool. Luckily, Pupy features the ability to perform an “Online Status” check when controlled by DNS. This checks for all types of potential exfil mechanisms. Running this check came back with mostly the expected results: proxied HTTPS, DNS allowed, etc. With further examination, I could see that it also uses PortQuiz to determine if any direct TCP connections can be established. This revealed that some non-standard ports were allowed directly out to the internet!
Considerations: This method is a very noisy approach. At the time of this writing, there appears to be no available documentation on the DNS functionality Pupy offers. By default, the “Online Status” check will only return 8 open ports, and will limit scanning to the nmap top 1000 ports.
Note: This is not the actual output from the assessment
Baking a new Pupy binary to use HTTPS over one of these ports and I was back in business; data loss prevention be damned!
How did this scenario come to be? It appears an internal application needed non-standard port access for something, and this “Allow” rule was inadvertently applied to all users. By working with the firewall team, we were able to resolve the issue. But, the security team asked an interesting question, “How do we test for this when you leave? We don’t have an external Pupy C2 server or know how to use it.” My initial thought was to provide them a small script that would curl PortQuiz ports and print the results in a table, but why not give them the same full check I used with Pupy?
That night, I managed to extract the “Online Status” check from the Pupy client and server source code and cook a standalone executable file with Pyinstaller. I also fixed a few bugs (removed paste sites that are down, updated the HTTPS MITM cert so the MITM check works as expected, and changed how some items are presented). Now the client can run the same checks any time to ensure the firewall and proxy rules are enforced as expected. This leave-behind was an added value for their Blue team, and we think it will be useful for both Red and Blue teams operating in restricted environments. Both the source and compiled binaries for Break_Free (Windows, macOS, and Linux) are available on GitHub.
About the Author
Erik is a former Department of Defense CNE operator. He now leads the adversary emulation group at SIXGEN. With a focus on complete “black-box” penetration testing, Erik uses custom tools, infrastructure, and techniques to ensure success against the most difficult targets.
Our team members include veterans from the world’s premier military and cybersecurity organizations. Our expert cyber operators conduct operations from mitigating threats to protecting critical infrastructure and enhancing situational awareness through rapid data solutions. Our core capabilities include: Penetration Testing, Social Engineering, Cyber Hunt, Incident Response, Red Teaming, Software Engineering, and Risk Management. Our experienced cadre of cyber professionals and our ability to understand how an adversary operates. From counterterrorism, cybersecurity to intelligence activities, we have a proven track-record to identify, dissect, and resolve complex security problems involving multi-national, interagency and commercial organizations. We provide full-spectrum cyber solutions, encompassing active, passive, and defensive techniques. As a company, we believe that cybersecurity is vital to the operational efficacy of all business, and critically important to all persons.