Tunnel TCP Traffic Over an HTTP/HTTPS Connection: ABPTTS
https://www.ispeech.org
ABPTTS uses a Python client script and a web application server page/package to tunnel TCP traffic over an HTTP/HTTPS connection to a web application server. In other words, anywhere that one could deploy a web shell, one should now be able to establish a full TCP tunnel. This permits making RDP, interactive SSH, Meterpreter, and other connections through the web application server.
The communication is designed to be fully compliant with HTTP standards, meaning that in addition to tunneling in through a target web application server, it can be used to establish an outbound connection through packet-inspecting firewalls. A number of novel features are used to make detection of its traffic challenging. In addition to its usefulness to authorized penetration testers, it is intended to provide IDS/WPS/WAF developers with a safe, live example of malicious traffic that evades simplistic regex-pattern-based signature models.
A Black Path Toward The Sun provides the ability to forward TCP ports through a web application server. ABPTTS shares similarities with several classes of existing tool – for example, TCP port-forwarders such as netcat, TCP-over HTTP tools such as httptunnel, and web shells such as the Laudanum Project – but by combining these elements into a single tool, provides functionality not previously available. There are two primary categories of intended use-cases for this tool:
- In a network penetration test, a web application server has been accessed in a way which allows the tester to add web application code, but not to make other types of connection to the server. For example, TCP port 443 on the server is accessible to the tester, but the server is firewalled and has no other inbound or outbound connectivity. In this scenario, ABPTTS allows the server to be used as a bridge into the environment where the server is hosted.
- Outbound TCP connectivity is needed, but only HTTP connectivity is possible. For example, a consultant is performing an internal network assessment and would like to tunnel SSH connectivity to an internet host, but the client does not allow direct outbound internet access, and has deployed TLS-inspecting proxy servers which will reject typical attempts to tunnel other protocols. In this scenario, ABPTTS2 will create a tunnel using standards-compliant HTTP requests and responses which should allow the consultant to achieve their goal.
ABPTTS provides a bridge over which any TCP-based tools on the tester’s system can connect via the web application server’s network interface. RDP, SSH, VNC, and others can all be used directly from the tester’s system. Tunneling is accomplished by a combination of two components:
- A client-side Python script which listens for TCP connections and performs translation between raw data and HTTP requests which are sent to the server component.
- A server-side listener which translates between HTTP requests from the client script and raw data sent through a second TCP connection initiated on the web application server. This component is written in the appropriate language for the web application server – for example, a JSP page is used if the web application server is Apache Tomcat or another Java-based WAS.
[adsense size='1']
Goals
This tool was developed with the following goals:
- Tunneled connectivity should be as reliable as possible – it is likely that if use of this tool is required, it will represent the sole window into a restricted environment, and therefore interruptions in that traffic will be extremely frustrating to users.
- The tool should be simple to deploy – deploying ABPTTS should not require installation of additional libraries or native code on the web application server. If possible, uploading a single file should suffice.
- Traffic should be resistant to signature-based detection – as much as possible, traffic should not contain fixed strings or other patterns that differentiate it from typical HTTP traffic.
- Configuration should be as automatic as possible – using this tool effectively requires altering a variety of settings for each deployment (for example, the AES encryption key and the secret key used to authenticate the client). If these settings must be altered manually, it is very likely that users will not rotate them as frequently as they should. Therefore, the tool should automate this process.
- Traffic should be encrypted – many protocols used during penetration tests do not encrypt sensitive data, so the tunneling component should handle this to prevent that data from being sent in plaintext form over a network connection.
- Using multiple instances in a single engagement should be easy
Currently JSP/WAR and ASP.NET server-side components are included. This tool is released under version 2 of the GPL.
https://github.com/nccgroup/ABPTTS/blob/master/ABPTTS-Manual.pdf
https://github.com/nccgroup/ABPTTS
Gloss