Subscribe
Share
Share
Embed
Threat Talks is your cybersecurity knowledge hub. Unpack the latest threats and explore industry trends with top experts as they break down the complexities of cyber threats.
We make complex cybersecurity topics accessible and engaging for everyone, from IT professionals to every day internet users by providing in-depth and first-hand experiences from leading cybersecurity professionals.
Join us for monthly deep dives into the dynamic world of cybersecurity, so you can stay informed, and stay secure!
You lock down your endpoints.
You filter for all egress data, you installed
malware detection tools
and still you're leaking data.
How could this happen?
There is a technique called data bouncing.
And that's what we're going to discuss
today in Threat Talks, the Deep Dive.
So let's get on to it.
Welcome to Threat Talks.
Let's delve deep into the dynamic world
of cybersecurity.
Today with me is Luca Cipriano.
Hey. Our CTI and the
Red Team Program Lead.
Welcome to the show. Thank you.
So you came to me: I have this
technique called data bouncing,
and it's going to make my life
as a defender really, really hard.
It gave you a headache at a
certain point, also. I was really curious.
So I'm very glad we're
going to do this topic.
Can you tell me, and the audience;
before we continue, there is
also a video demo that Luca is going
to give us, on data bouncing.
So for all our listeners, Luca is
going to talk us through it.
So, if you're in the car and don't have
a screen ready to look at it, don't do it.
But if you want to see what Luca is actually
doing, then later on, tune in to YouTube
and you will see, all the comments
and all the things that he's doing
and explaining to us
during this episode.
So, Luca, what is data bouncing?
Yeah.
So data bouncing is a technique
that can be used to exfiltrate data,
in a stealthy way.
So let's assume I'm an attacker.
I'm on your computer already, and
I found a really important document
that I want to get,
like, for example, a PDF.
And I want to exfiltrate it
without the SOC or,
or any alerts to be triggered
or the SOC being alerted.
So what I can use, I can
use data bouncing for that.
So data bouncing is
a sort of exfiltration.
In this case we're going to see
we're going to use a DNS
request to exfiltrate data.
And we are going to exfiltrate data
through a third party.
So when you send the http
request to a website,
your request will contain,
several headers.
And some of these headers,
will contain a domain
like for for example, there is
the header X-Forwarded-For.
It's a header that is used to
get the origin of the request.
So if I am sending a request
to a website like hp.com,
which is the example
that we're going to see here and,
my traffic is going through a
load balancer or a proxy.
The source that they will see
is the load balancer or the proxy
and the X-Forwarded-For header
will be the original origin.
So the hop before the proxy.
This one is often used,
for example, for GeoIPs.
So if you go to a website
that runs in the cloud
and you are located in a country,
then the website will display
or at least tries to display
your home language.
Yeah.
And the idea is if you're behind
a proxy, it will always display
the language where the proxy is located,
instead of your own language.
Yeah.
So that's why you look
at the Forwarded-For.
And in order to do that, they need to
resolve the domain where I'm coming from.
So they will have to send
the DNS request and resolve it.
The same things happen, for example,
for the referrer.
So if, for example, I visit a webpage
from another web page,
the referrer will be the original webpage
where I'm coming from.
And some of the websites, they will
resolve the content of these headers for,
as you mentioned before.... The geolocation.
The geolocation. Yeah, exactly.
Or some analytics sort of want threat
intel or data, so they will resolve it.
And data bouncing, will use, will abuse
this functionality to exfiltrate data.
So, what happened is; I wanted
that PDF that we discussed
before. So I'm gonna convert
that PDF in Base64.
I will divide the Base64 in chunks,
and I will add those chunks
as a subdomain of a server that I control.
And I add each chunk to the header
that will be resolved by a third party.
So when my server that I control
will receive that request,
I could retrieve all the
pieces of the Base64,
all the Base64 chunks, recompose
it and get the file back.
Yeah. So- And all this via the third party.
Yeah.
So as a small recap, first you're
already in the network.
You find some data
that you want to exfiltrate,
and then that's where our data bouncing
kicks in as a solution for that.
Yeah.
And then what you will do is you
will send a request to a third party,
so outside of the company
you're in as an attacker.
Indeed. And it could be hp.com, but
probably also any other big website.
Yeah. There's plenty.
You connect to them and you send within
the headers of your request, the data,
and then by, because those servers
are going to do a DNS lookup. Yes.
They're probably at your DNS server then.
I will receive it. Yeah, you will receive it. Okay.
Indeed. So for the demonstration
I'm gonna use two hosts.
So the host on the right is an attacker.
So it's my attacker, and it is
outside of the office network.
So this is the moment where
the videos start playing. Yeah.
So for the listeners. If you
want to see it as well,
we will guide you through it...
I will guide them through it.
So I'm going to use
two hosts, one attacker
which is outside of the network and
a Windows victim, which is
inside of the company network.
So we assume that I'm already,
I have already initial foothold
on the Windows host.
So, I'm going to use Interact.sh,
for this demo, which is a tool
that, it can be used to, it's used
for out of bound testing.
So you will spawn a server that will
listen for HTTP and DNS, incoming
HTTP and DNS requests on the web.
And I can see the logs
in the backend.
This is used, for example,
in web application pentesting.
If you want to see if you have,
for example, remote code execution
on an application, but you can't see
anything from the application itself.
You then try to trigger a request
to an out of bound service.
So then you will see that you receive
the request, and you know that your-
And this tool, Interact.sh, is a tool
that anyone can just download?
Yeah, you can just download it.
Anybody can download
and use it. It will spawn
a domain which is a string dot host.
Dot something like pro or fun.
And as you can see, this kind of domain are
known, so they get blocked if I try to visit
it internally from the host that is in
the network, we can see that the policy
on our firewall will block me
visiting the website,
because, it's seen as command and control traffic
because these tools, you know,
they are used also by attackers.
They're legitimate tools,
but they're used by attackers.
So if you can see directly,
I can't visit it.
But now I will show how you can visit it,
from using the header, as I explained before.
So for this, we're going to use another
tool, which is called Burp Suite.
And it is a proxy to intercept web
traffic, so I can use the intersect,
I can use the Burp Suite browser
and the intercept function.
And, as soon as I try to visit a website,
my request will not go directly,
but it will be blocked, and it
will be blocked by Burp Suite.
And before sending it, I can
change it and interact with it.
As soon as I visit a website,
like in this example,
we're going to use hp.com.
You will see that I can't visit it,
because Burp Suite is intercepting it.
And in the history I can see the pending...
Requests. Traffic. Yes. Requests.
And then I can send it to the repeater and
from there I can modify it before sending it.
The repeater is a tool that will allow me to
send this request as many time as I want,
modified every time.
So what I'm going to do,
as we explained it
before, as you can see in the request,
there's a lot of headers here.
I'm going to add an extra header.
This header, is the X-Forwarded-For,
because that's what it works
now for hp.com, I know
that they resolved this.
And I'm going to add a secret message,
which is going to be appended,
as a subdomain of my dot host domain.
So I'm going to write this as message dot...
This is purely to verify that the
host will do the lookup for you.
Yes, exactly.
So as soon as I send this header,
we need to wait, a little bit,
but you will see that Interact.sh
will receive my secret message.
So what happens is you will send it to the host,
you intercepted it, [ ] it your domains.
And once the host receives the message,
it will do a lookup up on domains,
and that will show up in Interact.sh.
Exactly. So and as you can see here,
I can see from the logs of Interact.sh,
my secret message dot the domain.
So this is, as you can see, we couldn't before
from this host visit host.com, but now
with this technique, we are allowed...
Because you're allowed to go to hp.com.
Exactly.
So this is the technique that
is used to exfiltrate the data.
And also in this sense a way to check
if our host is doing those lookups. Yes.
So there are plenty of those.
And of course, they don't do
only X-Refer-From
but they do this with several headers
so you can create easily
and also there are already
online proof of concepts.
You can just get scripts where you can put a
list of domains, and they will test all the headers.
And you will just have Interact.sh open next
to you and they will see which are all the
domains that will resolve the headers and
it will tell which headers are resolved.
So now for the moment, it's a bit
more clear, hopefully for everybody.
But now for the practical explanation.
So as I mentioned before, I'm on this
Windows host, I'm the attacker, I'm there.
And I want to exfiltrate a file.
I want to exfiltrate this file on
the desktop, which is called secret.
Sounds like a secret file.
It's a super secret file.
So the first thing that I'm going to do,
as you can see, my folder is empty.
I'm going to start, the attacker folder is empty.
I'm going to start the Interact.sh client,
which will generate a new domain.
So now this is my listener.
I can wait for it.
I can, sorry, I can look
at the logs from here,
and then look at the content
of the secret dot txt.
It's just a small file.
It's part of a lorem ipsum,
I made it really small.
Because, of course, I need to recompose
the chunks manually to,
and I didn't want, like, a blob of Base64.
So for the sake of this demonstration
it’s just a small piece of text,
and to exfiltrate it, I already moved
a PowerShell script, which will
take the file, as we mentioned before,
convert it to Base64, divide it in chunks,
adds the identifier of the computer,
just in case you have more,
and it will say chunk one out of x.
In this case there are three chunks.
So it's going to be one out of three,
two out of three, three out of three.
Because then I need to recompose it.
And these requests, sometimes
they don't come in the correct order.
So I need to be able to understand
which one is the order.
And it will send the request to hp.com
using the X-Forwarded-For header.
So I at this point I just need to,
well, run, open a shell.
Yeah.
In this case I need to use PowerShell with,
yeah, I need to use execution
policy bypass, because otherwise
I can't run my script,
which is something that a user
shouldn't normally be able to do.
It's one of the things
to block. Yeah. Indeed.
But this is just a demo.
You can do it in a lot of different ways.
So I'm going to use the script,
I'm going to select my script
and then I'm going to select the file,
and then I just going to need to paste
my dot host domain.
And just press enter and wait.
So at this point, as you can see,
I started to get requests.
So I have the identifier and chunck 1 dot 3,
and all the chunks.
So I get the second one,
and then I get the third one.
So at this point, the last thing
that I need to do is just
recompose all the pieces of the Base64.
Yeah, you merge them together.
Merge them together.
Yeah. So, for this demo, I will do it manually.
You can do it scripted.
Of course, if it's a really huge file...
Yeah, you get a lot of a DNS requests.
So there's a lot of things to merge.
You can make just the script.
Just a script to do that.
So at this point, the only
thing that I need to do,
I can, for example,
use Echo and recompose
all the parts of the Base64, and then I can
just pipe it into Base64, the code
and then output it in secret dot txt,
which is the file, secret dot txt
and press enter.
And then, as you can see it's on
the folder now, that was first empty.
So it’s really easy.
If I open the content of secret, it’s lorem
ipsum, and I can use ‘cat’ to,
look at the content of secret
dot txt on my folder,
and as you can see it’s the same content.
So, of course, this is a small demo
just to let people understand
or let you understand and everybody
how you could exfiltrate data, but you
can imagine that if I'm an APT
like a state sponsored attacker,
and I have plenty of time,
with this method, I can
exfiltrate really big files.
And I can also do it with a delay,
so I don't need to send all the chunks
at the same time.
And I can use different websites
with different ideas.
The nice thing I would say,
for an attacker, from the attacker
perspective, is as an attacker,
you don't have direct access to your
well, your host where you receive everything,
you always put this man in
the middle there. Yes.
So hp.com, maybe even microsoft.com
or any other big website.
And if I look at the traffic log,
I won't see anything suspicious.
No, you will see just traffic
that might be legitimate and,
even worse, if you don't use decryption,
you are not even able to look at
the headers that are in the packets.
So this is going to be totally hidden
from you.
Yeah, that’s a nice bridge
because, the question now arises,
how do we defend against this?
Yeah, indeed.
So that's quite difficult to prevent
and also to detect.
So I want to start from
probably what is a bit less,
easy, let's say, you as a third party, probably,
do you really need to resolve,
all these headers, is it
something that is really needed?
So you should consider [it],
because you could be
used to exfiltrate data.
And I mean, I don't know,
do you really need that
or do you think...?
That's hard for me to determine,
if a third party really needs
to look up the domain names,
but what I don't like,
at least at, of this solution, is that
I'm depending then,
on those third parties
if they implement,
or maybe not implement, but block the
DNS lookups for the headers.
Yeah. Yeah.
And indeed there's not
something that you could do.
What we mentioned before, one of the
things is like, apply decryption.
There's for example,
Palo Alto, has an option,
which will strip the X-Forwarded-For...
Yeah, that’s mainly there to prevent
your internal IPs from being leaked...
Yeah, but it can be used
at least two strip one header, but again,
you need decryption
because otherwise you can’t...
Yeah, that's good to mention here,
because all those headers are of course,
if you go to an HTTPS web server, all encrypted.
So you need encryption in order to
see these headers. Yeah.
Yeah. Exactly.
So that already something
you can look at...
Yeah. So it's using a feature that
is meant for something else.
But it can help here.
It can help here, yes.
Of course, it's not only the X-Forwarded
-For, there's more headers.
But if you have deep packet inspection,
and you can look at the headers,
you could for example, try to use
some sort of machine learning or try to detect,
sort of, randomly generated domain...
So, yeah, Palo Alto Networks
already has this feature.
It's part of the advanced DNS security,
where they can figure out if, domain
generated algorithms, domain names, DGA,
are being used by malware
to spin up a lot of domains.
Yeah, yeah.
So they can already detect that.
And I think your domains will look more
or less the same.
Yeah.
So I can, I imagine if they will do the same
technique for those headers
that they might detect that this data
bouncing is being used.
Yeah. Yeah.
Probably it will alert, at least.
But these are like some sort of
alerts that you could have,
and also you can set up custom alerts,
if you are in a place of the network
where you can inspect it.
So it does not need necessarily
to go at the,
from the firewall, or maybe you
can have your own way of
preventing with custom alerts on logs
that you ingest.
Yeah, another defensive measures I think you
can take is just lock down your machines,
not every machine needs to be able
to talk to any website.
Yeah.
So if an attacker has access to a server,
which is already bad, but then
at least make it more difficult
so that that server is not allowed
to communicate directly
with the external world,
only to what's really needed.
Yeah, yeah.
Exactly. Depends on which machine
you are [coming] from,
because if I'm on a host from
a user, it’s going to be difficult.
Then it’s going to be difficult.
Because I assume the
IT department will receive
a lot of phone calls that
the people can't visit...
What might be good to mention again
here; you're already in a network
and we already have...
Yeah. Indeed.
... a few steps before that, if you look
at the kill chain, you're now
at the last part. Last part, acting
on the objective. Yes.
There are a lot of steps before that, before you are
in the network where we can take a lot of [ ]
Yeah, yeah, indeed.
And make it really hard for you.
Let's try not to have the attacker
reach the point where it can exfiltrate
the data. Yeah. So, that might be a good
moment to go to the ‘call to action’,
the call to action for our listeners is,
you can test this easily yourself.
So Luca showed us, how you can test this.
You can run Interact.sh, as you
mentioned, with the Burp Suite.
Yeah.
Burp Suite is also free?
Burp Suite is free. Yes.
You can have the community edition,
I mean, you can use
the sort of interactive session
within Burp Suite,
which is called collaborator.
But for that one, you,
will need a pro license.
So, but I mean, you can use Interact.sh.
Yeah.
And then you can simply test if
you can detect it with your
current security tooling.
Yeah.
I think that's a good thing to do.
So check it on your company,
check if you can leak your
sensitive data, don’t do it with actual, sensitive data,
but use some lab files or dummy files.
But might be good, to be
aware of this technique.
Data bouncing. And if it can be used
within your company.
So as a conclusion, I think we both can agree,
that data bouncing is really effective.
It's really hard to block.
We have some countermeasures.
But, still, you can work your way around it.
And like you said, if you're an APT
and you have enough time.
Then you do it really, really slow.
Yeah, you can take your time and
as I mentioned before, a call
every hour, and use different
domains with different headers.
So you... So it's really hard
to stop, but in the end, it's
the last step as an attacker.
So hopefully you can already prevent
the attacker from coming this far.
So if you look at the kill chain,
we have a lot of options
to stop the attacker
before he comes to the data bouncing.
So with that, I think it's a nice
ending of the show.
Yeah. We showed data bouncing,
how it works.
To you, listeners, if you liked
what you saw or just maybe
only heard, just press like and
subscribe and you will be updated
when the new episode
next week is being released.
And then since this was the
first time we're doing this,
maybe let us know if you like to
see more hands on techniques.
If you like this, we can do more.
Let us know.
And I hope to see you next time.
Thank you.
Thank you for listening to Threat Talks,
a podcast by ON2IT cybersecurity and AMS-IX.
Did you like what you heard?
Do you want to learn more?
Follow Threat Talks to stay up to date
on the topic of cybersecurity.