In the past, many organizations focused heavily on protecting ingress connections to their network and did not care much about egress connections from their network to the internet. This was less than ideal, because when an attacker or penetration testing team gained a foothold inside an internal network, it was trivial to establish Command and Control (C2) connections or exfiltrate sensitive data to the internet.
In more recent times, organizations with a maturing information security posture have placed an emphasis on what communication is egressing from their network to the internet. This is a great practice, because it can help slow down or prevent C2 and sensitive data exfiltration. VDA Labs encourages clients to seriously consider what traffic is allowed to egress from internal networks, and recommends defensive practices like preventing communication on outbound ports that have no business need, using web proxies and endpoint certificates to inspect outgoing communication even if its encrypted, and utilizing the latest Data Loss Prevention (DLP) technologies and ideas.
The majority of outbound web proxy solutions allow organizations to restrict the web sites their employees are allowed to visit to specific categories. These categories of sites are typically managed by the outbound web proxy vendor and only include a list of sites that have been through a vetting process and are determined to be “safe.” While this does help limit the attack surface from some common threats, a determined adversary can innovate ways to circumvent reputation based protections and whitelisting.
During penetration testing engagements, the VDA Labs team can quickly defeat this type of website reputation based protection by exploiting weaknesses in the typical vendor website vetting process. As an example, the following steps will demonstrate the process of registering a domain for C2 or phishing purposes, and quickly gaining a successful reputation ranking with most of the major outbound web proxy vendors.
Using this approach assumes that the target organization does not allow most TCP or DNS ports out of their network, and also assumes that VDA Labs is not choosing to perform C2 and/or sensitive data exfiltration via other methods — like using another protocol (ICMP), a more advanced method like setting up an Authoritative DNS server with dnscat2, or performing Domain Fronting with an already approved third-party domain.
While it can also work to use a service like expireddomains.net to locate an available domain that is already categorized, often it is better for phishing purposes to register a new domain that closely resembles the actual domain being used by the target organization.
Register a phishing domain
During a penetration test, getting a domain registered for C2 or phishing purposes can easily be accomplished with a number of registration services. A few that are easy to use and allow editing of DNS records, are namecheap.com, namesilo.com, and godaddy.com.
For this example scenario, vdalabs.com will be the target organization so the domain vdalabs.site will be registered because it closely resembles our target. The register namecheap.com was quickly used to accomplish this step.
Configure redirect to target
After getting the target domain registered, a quick configuration change must be made that will help with getting it categorized and establishing a positive reputation with web proxy vendors. From the “Dashboard” page, select “Manage.”
Next, select the “Advanced DNS” tab to create and edit DNS records.
Finally, use the “ADD NEW RECORD” button to setup a “URL Redirect Record” that points the phishing domain to the actual site of the target organization. At this point, visiting the phishing domain www.vdalabs.site with a web browser, will result in an immediate redirection to the target organizations actual page www.vdalabs.com.
Now the phishing domain is ready for submission to common web proxy vendors for categorization. Our goal is to have the phishing domain placed in the same category as the target organization’s domain, which would then enable target organization employees to access our phishing domain through outbound web proxy defenses for social engineering or C2 purposes.
Establish phishing domain reputation
The final step before achieving a successful bypass of outbound proxy filtering for the phishing domain, is to submit it to several web proxy vendors for review. A great list of web proxy vendors is available on the Red-Team-Infrastructure-Wiki. The process will require using an email account, visiting and filling out each vendor submission form, and will then take about 24hrs of waiting.
Some of the web proxy vendors will ask that ownership of an email address be verified by clicking a link sent to the email specified when filling out their categorization submission form. This step can easily be accomplished by using a temporary email service, like temp-mail.org.
After submitting www.vdalabs.site to each of the major web proxy vendors, all the web proxy vendors reviewed the phishing domain within about 24hrs, and successfully categorized it with the same category and reputation rating as the target domain www.vdalabs.com. The table below specifies the results from each web proxy vendor, and category they selected.
Exploiting this issue
At this point, the phishing domain www.vdalabs.site was successfully registered and given a “safe” reputation with major web proxy vendors. By going back and configuring DNS settings to remove the 302 redirect to the target organizations domain, www.vdalabs.com, the phishing domain www.vdalabs.site can then be pointed at internet infrastructure for phishing and/or C2 handlers.
By following these steps and waiting about 24hrs, its possible for penetration testing teams to bypass the reputation and categorization defenses being used by most major web proxy vendors.
Protect your organization
Securing your organization’s egress traffic does not have a super simple answer. However, starting with the basics and adding layers of protection can prevent simple egress attempts and slow more committed attackers down.
Start with blocking all non-necessary outbound TCP and UDP ports. Outbound protocols, like ICMP, should also be restricted. Proxy and decrypt outbound web traffic. When possible, only allow web traffic to approved whitelisted locations. For example, Windows servers may need access to Windows Update, but should be restricted from accessing the typical locations that workstations might require access to. Force internal networks to use specific DNS resolvers, and monitor DNS communication for malicious activity. Test these defenses to make sure they actually work. A final recommendation is to diligently train and assess your employees security awareness, which can often be the final line of defense. VDA can help if desired: https://www.vdalabs.com/enterprise-security/