{"type":"doc","content":[{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"0x00 背景簡介","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CDN(Content Delivery Network) 是雲服務廠商提供的一種Web內容加速分發服務。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於攻擊者來說,CDN提供了大量分佈於全球各地的邊緣節點IP,並且可以將源服務器隱藏在CDN節點之後,所以CDN非常適合被用於保護C2的通信。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文介紹了我們在某些CDN實現中發現的一些特性,以及如何利用這些特性隱藏C2通信流量,我們將這種新型的基於CDN的隱蔽通信方法稱爲Domain Borrowing。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"該研究已經發表在Black Hat Asia 2021。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"0x01 歷史研究","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"Domain Fronting","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Domain Fronting[1]是Fifield David等研究人員在2015年提出的一種基於CDN的隱蔽通信方法,該方法至今仍被廣泛應用於真實APT攻擊和紅藍對抗中。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Domain Fronting的工作原理如下圖所示,主要利用了CDN轉發HTTPS請求時的特性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/63/63c41590c786fa54760e3e847630c91e.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在處理HTTPS請求時,CDN會首先將它解密,並根據HTTP Host的值做請求轉發。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果客戶端想要訪問一個非法網站forbidden.com,它可以使用一個CDN上的合法的域名allow.com作爲SNI, 然後使用forbidden.com作爲HTTP Host與CDN進行HTTPS通信。之後,CDN會將HTTP請求重新封裝,併發往forbidden.com的源服務器。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這種情況下,客戶端實際通信的對象是forbidden.com,但在流量監控設備看來,客戶端是在與allow.com通信,即客戶端將流量成功僞裝成了與allow.com通信的流量。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Domain Fronting也有一些侷限性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Domain Fronting流量的一個顯著特點是SNI和Host不相等。企業的防守方可以部署HTTPS流量解密設備,並對比流量中的SNI和Host是否相等,如果不相等則說明是該流量是Domain Fronting流量。這也是MITRE ATT&CK[2]中建議的檢測方式。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"並且,隨着該技術不斷在真實網絡攻擊中被使用,雲廠商也逐漸意識到了Domain Fronting的危害,目前Cloudflare、AWS CloudFront、Google Cloud CDN等廠商也都紛紛禁用了這種隱蔽通信方法。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"Domain Hiding","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Domain Hiding[2]是Erik Hunstad在DEFCON28上提出的隱蔽通信方法,這種方法主要依賴於TLSv1.3和ESNI。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/87/874de7f64271a97f07cd6ba67de09af1.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"ESNI是IETF的一個草案,目前只有Cloudflare CDN支持該標準。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通信的客戶端可以從_esni.forbidden.com的TXT記錄中獲取密鑰,並使用該密鑰加密SNI,在HTTPS Client Hello中即可使用加密後的SNI即ESNI與CDN進行通信。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"因爲DNS查詢可以通過DNS over TLS/HTTPS進行,所以整個HTTPS通信流量中不會出現明文的forbidden.com。流量監控設備也就無法識別該流量是否爲非法流量。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Erik Hunstad還發現Cloudflare處理ESNI的一個特性,如果Client Hello裏同時出現SNI和ESNI, Cloudflare會忽略SNI字段,使用ESNI完成接下來的通信過程。這樣攻擊者在使用ESNI通信時,就可以將SNI設置爲一個高信譽的的域名來僞裝通信流量。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Domain Hiding也存在一些侷限性。一方面,Cloudflare現在已經不支持Client Hello裏同時出現SNI和ESNI。另一方面,爲了進行流量審查,很多企業甚至國家級防火牆會直接禁止使用ESNI通信。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"0x02 Domain Borrowing","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對攻擊者來說,一個理想的C2通信流量需要滿足以下幾個條件","attrs":{}}]},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"擁有大量IP地址供C2 agent連接","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"使用高信譽的的域名和合法的HTTPS證書","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"即使HTTPS流量可以被解密,解密後的流量也應該與正常流量高度相似,特別是SNI==Host","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","text":"通信協議不依賴於特殊協議標準","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":5,"align":null,"origin":null},"content":[{"type":"text","text":"通信方式不在特殊地區受限制","attrs":{}}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下面將詳細介紹我們在某些CDN實現中發現的一些特性,以及如何利用這些特性滿足一個理想C2的隱蔽通信需求。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在HTTPS CDN的工作流程中,DNS只是用於尋找CDN邊緣節點,並不直接參與HTTPS通信。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"所以客戶端可以直接拋棄DNS解析流程,或者使用另一個加速域名cdn.b.com做DNS解析, 然後使用cdn.a.com作爲SNI/Host與CDN邊緣節點通信。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/46/462ed5d6b25f86e262b9b850192b1741.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲了僞裝C2通信流量,需要保證流量中SNI和Host爲高信譽度域名,也就需要我們具備在CDN上註冊高信譽度域名的能力。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們調研了國外常見CDN加速域名註冊時的域名歸屬認證機制,結果如下圖所示。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/67/678a258f687261635439560e4a5e7f2e.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Azure CDN使用DNS CNAME記錄驗證域名歸屬,Cloudflare使用DNS NS記錄驗證域名歸屬,使用者配置相應的DNS記錄後纔可以使用CDN服務。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"AWS CloudFront使用域名的HTTPS證書來驗證域名歸屬權,使用者需要提供域名的合法HTTPS證書纔可使用CDN服務。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Google Cloud CDN的AnyCast機制需要使用者直接將加速域名解析配置爲Google Cloud CDN指定的某個固定IP,雖然AnyCast機制的目的不是爲了進行域名歸屬驗證,但是確實達到了歸屬驗證的效果。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Fastly,StackPath,KeyCDN,CDN77和CDNSun則不存在域名歸屬驗證,攻擊者可以在這些CDN上任意註冊高信譽度域名的加速服務, 如下圖所示。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d8/d86f7e00b647b0bd5611fb89e39abca9.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以www.blackhat.com爲例,雖然我們可以在上述CDN中註冊該域名的CDN加速服務,但是我們並沒有這個域名的合法HTTPS證書","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當CDN無法找到SNI中的域名對應的證書時,通常有兩種處理邏輯","attrs":{}}]},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"大多數CDN會返回一個默認的證書給客戶端","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"少數CDN會直接斷開與客戶端的TCP連接","attrs":{}}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如下圖所示,Fastly CDN會返回default.ssl.fastly.net的證書給客戶端","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/2b/2b8002512eba12a5551ec5e8b3c53349.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在這種情況下,客戶端可以選擇忽略HTTPS證書驗證並與CDN邊緣節點進行HTTPS通信","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這時HTTPS流量中SNI == Host == www.blackhat.com,可以繞過對Domain Fronting的檢測","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雖然default.ssl.fastly.net證書比自簽名證書可信度要高,但是對於這個HTTPS連接來說這仍然是一個非法的證書","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"那麼應該如何獲取高信譽度域名的合法的證書?最簡單的方法就是通過漏洞","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果攻擊者可以獲取目標站點的RCE或者任意文件下載,攻擊者可以直接獲得域名的證書和私鑰","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果攻擊者發現了目標站點的RCE、subdomain takeover、任意文件上傳(尤其是雲存儲的任意文件上傳)等漏洞,攻擊者可以通過HTTP驗證(.well-known)的方式申請目標站點域名的新的證書","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"並且由於證書的有效期比較長,在站點漏洞被修復後,攻擊者申請的證書可能仍然是有效的","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/27/27eabd10abc0b9d8b234e9e445b8d78d.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"ppe.verify.microsoft.com的subdomain takeover漏洞(該漏洞由作者一個朋友發現)已經被修復,但是申請下來的證書仍然有效","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"因爲AWS CloudFront僅通過HTTPS證書來做域名歸屬驗證,所以我們拿到一個合法的證書之後就可以在AWS CloudFront上註冊該域名的CDN服務","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/f2/f27ba690d47fe7485d4cd295fb8d888a.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/c6/c673d861a47b12eb3a7d50cfab3fcfc7.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"成功註冊之後,C2 agent就可以使用這個域名上線","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"C2 agent可以使用blogs.aws.amazon.com進行DNS解析尋找CDN邊緣節點,HTTPS請求中的SNI和HTTP Host都可以設置爲ppe.verify.microsoft.com, 並且HTTPS證書使用的是我們上傳的該域名的合法證書。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"是否有辦法在不利用目標站點漏洞的情況下獲取高信譽度域名的合法證書?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們在研究各個CDN廠商的HTTPS證書分發流程時發現了部分CDN廠商的實現存在一些特性,我們可以利用這些特性借用其他CDN用戶上傳的合法證書","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"首先來看一下正確的證書分發流程","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/8b/8bfe3be4805d8ca04bf0a666936ec069.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當用戶使用cdn.example.com作爲SNI進行HTTPS請求時,CDN會從他的數據庫中查找cdn.example.com的證書","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"查詢邏輯類似 select certificate from db where domain_name = \"cdn.example.com\"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"(真實情況會更加複雜,這裏只是用一個簡單的數據庫操作來演示CDN的處理邏輯)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"很明顯,表中的第一行數據符合查詢條件, *.example.com.crt 會被select出來,並返回給客戶端","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是部分CDN的實現存在問題","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"攻擊者在CDN上註冊加速域名static.example.com,但是攻擊者並沒有該域名的證書。CDN會在數據庫中新增一條數據,如下圖所示。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/cd/cdfde9022f49ad0d7b6886bd3742f227.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"客戶端使用static.example.com作爲SNI向CDN發送HTTPS請求,CDN從數據庫中查詢static.example.com的證書","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ce/ce6a62565c9ddfdd2dc62052e351b3c3.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"與正確的證書分發流程不同的是,這裏的查詢邏輯類似 select certificate from db where certificate matches \"static.example.com\"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第一行數據中的通配符證書*.example.com.crt可以匹配到static.example.com","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是這個證書是Alice上傳的,也就是說Alice上傳的通配符證書*.example.com.crt匹配到了攻擊者註冊的CDN加速域名static.example.com","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"之後CDN會將Alice上傳的證書返回給客戶端,於是客戶端便獲得了一個對於當前HTTPS連接來說合法的通配符HTTPS證書","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過CDN的這個特性,攻擊者就可以借用其他用戶上傳到CDN的通配符HTTPS證書,並與CDN建立合法的HTTPS連接","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們發現StackPath和CDN77都存在這個特性,所以我們可以借用用戶上傳到StackPath和CDN77上的通配符HTTPS證書","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/f7/f71db3f76262ddfdcd334009fca76fe5.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"並且StackPath和CDN77上有很多高信譽度的域名","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/6d/6d00957924e2968e9147767799c00a31.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"尤其是StackPath是JS Foundation的CDN服務提供商, 有一些非常知名的前端項目比如Bootstrap和FontAwesome將他們的靜態資源部署在StackPath上","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"作爲知名前端項目,Bootstrap和FontAwesome在Alex top 1k網站上使用率非常高","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"攻擊者可以借用他們的子域名和合法的HTTPS證書將C2通信僞造成Bootstrap和FontAwesome的通信流量","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以Bootstrap爲例,攻擊者可以在CDN上註冊任意bootstrapcdn.com的子域名,甚至是一個並不存在的子域名,比如static.bootstrapcdn.com","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/52/527b6ce7c1295a85703773d59e7bb3d3.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用curl去測試,可以發現,當使用static.bootstrapcdn.com作爲SNI進行HTTPS通信時,CDN會將*.bootstrapcdn.com返回給客戶端","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/5c/5c1667c48d889a29074fda37409c57e6.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"於是攻擊者就可以將static.bootstrapcdn.com作爲SNI和Host,借用StackPath上合法的通配符HTTPS證書*.bootstrapcdn.com進行C2通信。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"無論是通信的HTTPS流量還是解密之後的HTTP流量,看起來都是一個高信譽度域名static.bootstrapcdn.com的合法通信流量。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"0x03 防禦方法","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於企業防守方來說,最簡單有效的Domain Borrowing防禦方法是在防火牆檢測HTTPS SNI的DNS解析結果是否與通信的目標IP地址相同, 並且建議配合DNS Proxy一起使用以減少誤報。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/41/41deb940a99621f8458f9a480b1c41b0.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於CDN廠商來說,可以採取以下方法禁用Domain Borrowing。","attrs":{}}]},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"用戶在CDN上註冊加速域名時,嚴格校驗域名歸屬權","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"客戶端連接CDN時,正確地分發HTTPS證書","attrs":{}}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於網站管理員來說,可以通過下列方式緩解網站證書被濫用的問題。","attrs":{}}]},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"被入侵之後吊銷現有證書,防止證書被攻擊者竊取和濫用","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"通過證書透明度檢查攻擊者是否申請了該網站域名的新的證書","attrs":{}}]}]}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"0x04 案例:繞過Palo Alto防火牆","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Palo Alto Firewall PAN-VM是Palo Alto的下一代防火牆產品,支持很多優秀的特性,比如SSLv3.0-TLSv1.3的流量解密和Anti-Spyware功能。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對SSL解密功能支持的算法如下圖所示","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/5c/5c650944ca6ad8c74e7c1e645250ccef.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Anti-Spyware功能內置了各類惡意軟件通信流量的檢測規則和一些通用的檢測邏輯比如Anti-Spyware Evasion Signatures[4]。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Anti-Spyware Evasion Signatures包含兩條檢測規則Suspicious HTTP Evasion Found和Suspicious TLS Evasion Found","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/46/46b5e0bb0dfbf0b436db3af2d0113491.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Suspicious HTTP Evasion Found用於檢測HTTP Host的DNS解析結果是否與通信目的IP地址相同","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Suspicious HTTPS Evasion Found用於檢測HTTPS SNI的DNS解析結果是否與通信目的IP地址相同","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"所以理論上Anti-Spyware Evasion Signatures是可以檢測Domain Borrowing的。但是我們研究發現,Palo Alto Firewall在這個功能的實現上存在問題。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果防火牆無法解析出SNI和Host域名的IP地址,則這條通信流量會直接通過檢測。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於Domain Borrowing來說,SNI和Host可以被設置爲一個不存在的域名(即該域名沒有IP地址),這樣就可以繞過Palo Alto Firewall的檢測。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以img.fontawesome.com爲例","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3a/3af0cd9a767264e101fe8ec14e5e69c1.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"該域名不是一個真實存在的域名,它沒有任何的DNS記錄","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"攻擊者可以在StackPath上註冊img.fontawesome.com的CDN加速服務,並使用img.fontawesome.com作爲SNI和Host,借用StackPath上合法的通配符HTTPS證書*.fontawesome.com進行C2通信。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在檢測設備看來,攻擊者的通信流量就是一個完全合法的高信譽度域名img.fontawesome.com的HTTPS通信流量,並且可以繞過Anti-Spyware Evasion Signatures的檢測。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/a7/a7968c4cc1b12588e2a92d7fa45a96f6.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"該繞過方法已經報告給Palo Alto PSIRT。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"0x05 Covenant Implant Template","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們實現了一個使用Domain Borrowing通信的Covenant[5] Implant Template,希望幫助攻擊方在紅藍對抗中應用Domain Borrowing技術,也希望能夠幫助防守方加強對此類通信流量的檢測能力。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Github Repo: https://github.com/Dliv3/DomainBorrowing","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"0x06 參考資料","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"[1] https://www.icir.org/vern/papers/meek-PETS-2015.pdf[2] https://attack.mitre.org/techniques/T1090/004/[3] https://media.defcon.org/DEF%20CON%2028/DEF%20CON%20Safe%20Mode%20presentations/DEF%20CON%20Safe%20Mode%20-%20Erik%20Hunstad%20-%20Domain%20Fronting%20is%20Dead%20Long%20Live%20Domain%20Fronting.pdf[4] https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/enable-evasion-signatures.html[5] https://github.com/cobbr/Covenant","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最後在多說幾句:我是一名網絡安全工程師,也是剛開始做自媒體","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲了感謝讀者們,我想把我收藏的一些","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"網絡安全/滲透測試學習乾貨","attrs":{}},{"type":"text","text":"貢獻給大家,回饋每一個讀者,希望能幫到你們。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"乾貨主要有:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"① 2000多本網安必看電子書(主流和經典的書籍應該都有了)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"② PHP標準庫資料(最全中文版)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"③ 項目源碼(四五十個有趣且經典的練手項目及源碼)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"④ 網絡安全基礎入門、Linux運維,web安全、滲透測試方面的視頻(適合小白學習)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"⑤ 網絡安全學習路線圖(告別不入流的學習)","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"各位朋友們可以關注+評論一波 然後私信 備註:網安學習 即可免費獲取","attrs":{}}]}]}
Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)
{"type":"doc","content":[{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"0x00 背景簡介","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CDN(Content Delivery Network) 是雲服務廠商提供的一種Web內容加速分發服務。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於攻擊者來說,CDN提供了大量分佈於全球各地的邊緣節點IP,並且可以將源服務器隱藏在CDN節點之後,所以CDN非常適合被用於保護C2的通信。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文介紹了我們在某些CDN實現中發現的一些特性,以及如何利用這些特性隱藏C2通信流量,我們將這種新型的基於CDN的隱蔽通信方法稱爲Domain Borrowing。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"該研究已經發表在Black Hat Asia 2021。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"0x01 歷史研究","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"Domain Fronting","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Domain Fronting[1]是Fifield David等研究人員在2015年提出的一種基於CDN的隱蔽通信方法,該方法至今仍被廣泛應用於真實APT攻擊和紅藍對抗中。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Domain Fronting的工作原理如下圖所示,主要利用了CDN轉發HTTPS請求時的特性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/63/63c41590c786fa54760e3e847630c91e.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在處理HTTPS請求時,CDN會首先將它解密,並根據HTTP Host的值做請求轉發。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果客戶端想要訪問一個非法網站forbidden.com,它可以使用一個CDN上的合法的域名allow.com作爲SNI, 然後使用forbidden.com作爲HTTP Host與CDN進行HTTPS通信。之後,CDN會將HTTP請求重新封裝,併發往forbidden.com的源服務器。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這種情況下,客戶端實際通信的對象是forbidden.com,但在流量監控設備看來,客戶端是在與allow.com通信,即客戶端將流量成功僞裝成了與allow.com通信的流量。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Domain Fronting也有一些侷限性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Domain Fronting流量的一個顯著特點是SNI和Host不相等。企業的防守方可以部署HTTPS流量解密設備,並對比流量中的SNI和Host是否相等,如果不相等則說明是該流量是Domain Fronting流量。這也是MITRE ATT&CK[2]中建議的檢測方式。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"並且,隨着該技術不斷在真實網絡攻擊中被使用,雲廠商也逐漸意識到了Domain Fronting的危害,目前Cloudflare、AWS CloudFront、Google Cloud CDN等廠商也都紛紛禁用了這種隱蔽通信方法。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"Domain Hiding","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Domain Hiding[2]是Erik Hunstad在DEFCON28上提出的隱蔽通信方法,這種方法主要依賴於TLSv1.3和ESNI。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/87/874de7f64271a97f07cd6ba67de09af1.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"ESNI是IETF的一個草案,目前只有Cloudflare CDN支持該標準。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通信的客戶端可以從_esni.forbidden.com的TXT記錄中獲取密鑰,並使用該密鑰加密SNI,在HTTPS Client Hello中即可使用加密後的SNI即ESNI與CDN進行通信。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"因爲DNS查詢可以通過DNS over TLS/HTTPS進行,所以整個HTTPS通信流量中不會出現明文的forbidden.com。流量監控設備也就無法識別該流量是否爲非法流量。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Erik Hunstad還發現Cloudflare處理ESNI的一個特性,如果Client Hello裏同時出現SNI和ESNI, Cloudflare會忽略SNI字段,使用ESNI完成接下來的通信過程。這樣攻擊者在使用ESNI通信時,就可以將SNI設置爲一個高信譽的的域名來僞裝通信流量。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Domain Hiding也存在一些侷限性。一方面,Cloudflare現在已經不支持Client Hello裏同時出現SNI和ESNI。另一方面,爲了進行流量審查,很多企業甚至國家級防火牆會直接禁止使用ESNI通信。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"0x02 Domain Borrowing","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對攻擊者來說,一個理想的C2通信流量需要滿足以下幾個條件","attrs":{}}]},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"擁有大量IP地址供C2 agent連接","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"使用高信譽的的域名和合法的HTTPS證書","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"即使HTTPS流量可以被解密,解密後的流量也應該與正常流量高度相似,特別是SNI==Host","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","text":"通信協議不依賴於特殊協議標準","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":5,"align":null,"origin":null},"content":[{"type":"text","text":"通信方式不在特殊地區受限制","attrs":{}}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下面將詳細介紹我們在某些CDN實現中發現的一些特性,以及如何利用這些特性滿足一個理想C2的隱蔽通信需求。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在HTTPS CDN的工作流程中,DNS只是用於尋找CDN邊緣節點,並不直接參與HTTPS通信。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"所以客戶端可以直接拋棄DNS解析流程,或者使用另一個加速域名cdn.b.com做DNS解析, 然後使用cdn.a.com作爲SNI/Host與CDN邊緣節點通信。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/46/462ed5d6b25f86e262b9b850192b1741.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲了僞裝C2通信流量,需要保證流量中SNI和Host爲高信譽度域名,也就需要我們具備在CDN上註冊高信譽度域名的能力。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們調研了國外常見CDN加速域名註冊時的域名歸屬認證機制,結果如下圖所示。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/67/678a258f687261635439560e4a5e7f2e.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Azure CDN使用DNS CNAME記錄驗證域名歸屬,Cloudflare使用DNS NS記錄驗證域名歸屬,使用者配置相應的DNS記錄後纔可以使用CDN服務。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"AWS CloudFront使用域名的HTTPS證書來驗證域名歸屬權,使用者需要提供域名的合法HTTPS證書纔可使用CDN服務。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Google Cloud CDN的AnyCast機制需要使用者直接將加速域名解析配置爲Google Cloud CDN指定的某個固定IP,雖然AnyCast機制的目的不是爲了進行域名歸屬驗證,但是確實達到了歸屬驗證的效果。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Fastly,StackPath,KeyCDN,CDN77和CDNSun則不存在域名歸屬驗證,攻擊者可以在這些CDN上任意註冊高信譽度域名的加速服務, 如下圖所示。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d8/d86f7e00b647b0bd5611fb89e39abca9.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以www.blackhat.com爲例,雖然我們可以在上述CDN中註冊該域名的CDN加速服務,但是我們並沒有這個域名的合法HTTPS證書","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當CDN無法找到SNI中的域名對應的證書時,通常有兩種處理邏輯","attrs":{}}]},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"大多數CDN會返回一個默認的證書給客戶端","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"少數CDN會直接斷開與客戶端的TCP連接","attrs":{}}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如下圖所示,Fastly CDN會返回default.ssl.fastly.net的證書給客戶端","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/2b/2b8002512eba12a5551ec5e8b3c53349.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在這種情況下,客戶端可以選擇忽略HTTPS證書驗證並與CDN邊緣節點進行HTTPS通信","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這時HTTPS流量中SNI == Host == www.blackhat.com,可以繞過對Domain Fronting的檢測","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雖然default.ssl.fastly.net證書比自簽名證書可信度要高,但是對於這個HTTPS連接來說這仍然是一個非法的證書","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"那麼應該如何獲取高信譽度域名的合法的證書?最簡單的方法就是通過漏洞","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果攻擊者可以獲取目標站點的RCE或者任意文件下載,攻擊者可以直接獲得域名的證書和私鑰","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果攻擊者發現了目標站點的RCE、subdomain takeover、任意文件上傳(尤其是雲存儲的任意文件上傳)等漏洞,攻擊者可以通過HTTP驗證(.well-known)的方式申請目標站點域名的新的證書","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"並且由於證書的有效期比較長,在站點漏洞被修復後,攻擊者申請的證書可能仍然是有效的","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/27/27eabd10abc0b9d8b234e9e445b8d78d.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"ppe.verify.microsoft.com的subdomain takeover漏洞(該漏洞由作者一個朋友發現)已經被修復,但是申請下來的證書仍然有效","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"因爲AWS CloudFront僅通過HTTPS證書來做域名歸屬驗證,所以我們拿到一個合法的證書之後就可以在AWS CloudFront上註冊該域名的CDN服務","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/f2/f27ba690d47fe7485d4cd295fb8d888a.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/c6/c673d861a47b12eb3a7d50cfab3fcfc7.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"成功註冊之後,C2 agent就可以使用這個域名上線","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"C2 agent可以使用blogs.aws.amazon.com進行DNS解析尋找CDN邊緣節點,HTTPS請求中的SNI和HTTP Host都可以設置爲ppe.verify.microsoft.com, 並且HTTPS證書使用的是我們上傳的該域名的合法證書。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"是否有辦法在不利用目標站點漏洞的情況下獲取高信譽度域名的合法證書?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們在研究各個CDN廠商的HTTPS證書分發流程時發現了部分CDN廠商的實現存在一些特性,我們可以利用這些特性借用其他CDN用戶上傳的合法證書","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"首先來看一下正確的證書分發流程","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/8b/8bfe3be4805d8ca04bf0a666936ec069.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當用戶使用cdn.example.com作爲SNI進行HTTPS請求時,CDN會從他的數據庫中查找cdn.example.com的證書","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"查詢邏輯類似 select certificate from db where domain_name = \"cdn.example.com\"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"(真實情況會更加複雜,這裏只是用一個簡單的數據庫操作來演示CDN的處理邏輯)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"很明顯,表中的第一行數據符合查詢條件, *.example.com.crt 會被select出來,並返回給客戶端","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是部分CDN的實現存在問題","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"攻擊者在CDN上註冊加速域名static.example.com,但是攻擊者並沒有該域名的證書。CDN會在數據庫中新增一條數據,如下圖所示。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/cd/cdfde9022f49ad0d7b6886bd3742f227.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"客戶端使用static.example.com作爲SNI向CDN發送HTTPS請求,CDN從數據庫中查詢static.example.com的證書","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ce/ce6a62565c9ddfdd2dc62052e351b3c3.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"與正確的證書分發流程不同的是,這裏的查詢邏輯類似 select certificate from db where certificate matches \"static.example.com\"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第一行數據中的通配符證書*.example.com.crt可以匹配到static.example.com","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是這個證書是Alice上傳的,也就是說Alice上傳的通配符證書*.example.com.crt匹配到了攻擊者註冊的CDN加速域名static.example.com","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"之後CDN會將Alice上傳的證書返回給客戶端,於是客戶端便獲得了一個對於當前HTTPS連接來說合法的通配符HTTPS證書","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過CDN的這個特性,攻擊者就可以借用其他用戶上傳到CDN的通配符HTTPS證書,並與CDN建立合法的HTTPS連接","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們發現StackPath和CDN77都存在這個特性,所以我們可以借用用戶上傳到StackPath和CDN77上的通配符HTTPS證書","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/f7/f71db3f76262ddfdcd334009fca76fe5.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"並且StackPath和CDN77上有很多高信譽度的域名","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/6d/6d00957924e2968e9147767799c00a31.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"尤其是StackPath是JS Foundation的CDN服務提供商, 有一些非常知名的前端項目比如Bootstrap和FontAwesome將他們的靜態資源部署在StackPath上","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"作爲知名前端項目,Bootstrap和FontAwesome在Alex top 1k網站上使用率非常高","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"攻擊者可以借用他們的子域名和合法的HTTPS證書將C2通信僞造成Bootstrap和FontAwesome的通信流量","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以Bootstrap爲例,攻擊者可以在CDN上註冊任意bootstrapcdn.com的子域名,甚至是一個並不存在的子域名,比如static.bootstrapcdn.com","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/52/527b6ce7c1295a85703773d59e7bb3d3.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用curl去測試,可以發現,當使用static.bootstrapcdn.com作爲SNI進行HTTPS通信時,CDN會將*.bootstrapcdn.com返回給客戶端","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/5c/5c1667c48d889a29074fda37409c57e6.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"於是攻擊者就可以將static.bootstrapcdn.com作爲SNI和Host,借用StackPath上合法的通配符HTTPS證書*.bootstrapcdn.com進行C2通信。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"無論是通信的HTTPS流量還是解密之後的HTTP流量,看起來都是一個高信譽度域名static.bootstrapcdn.com的合法通信流量。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"0x03 防禦方法","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於企業防守方來說,最簡單有效的Domain Borrowing防禦方法是在防火牆檢測HTTPS SNI的DNS解析結果是否與通信的目標IP地址相同, 並且建議配合DNS Proxy一起使用以減少誤報。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/41/41deb940a99621f8458f9a480b1c41b0.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於CDN廠商來說,可以採取以下方法禁用Domain Borrowing。","attrs":{}}]},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"用戶在CDN上註冊加速域名時,嚴格校驗域名歸屬權","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"客戶端連接CDN時,正確地分發HTTPS證書","attrs":{}}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於網站管理員來說,可以通過下列方式緩解網站證書被濫用的問題。","attrs":{}}]},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"被入侵之後吊銷現有證書,防止證書被攻擊者竊取和濫用","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"通過證書透明度檢查攻擊者是否申請了該網站域名的新的證書","attrs":{}}]}]}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"0x04 案例:繞過Palo Alto防火牆","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Palo Alto Firewall PAN-VM是Palo Alto的下一代防火牆產品,支持很多優秀的特性,比如SSLv3.0-TLSv1.3的流量解密和Anti-Spyware功能。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對SSL解密功能支持的算法如下圖所示","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/5c/5c650944ca6ad8c74e7c1e645250ccef.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Anti-Spyware功能內置了各類惡意軟件通信流量的檢測規則和一些通用的檢測邏輯比如Anti-Spyware Evasion Signatures[4]。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Anti-Spyware Evasion Signatures包含兩條檢測規則Suspicious HTTP Evasion Found和Suspicious TLS Evasion Found","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/46/46b5e0bb0dfbf0b436db3af2d0113491.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Suspicious HTTP Evasion Found用於檢測HTTP Host的DNS解析結果是否與通信目的IP地址相同","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Suspicious HTTPS Evasion Found用於檢測HTTPS SNI的DNS解析結果是否與通信目的IP地址相同","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"所以理論上Anti-Spyware Evasion Signatures是可以檢測Domain Borrowing的。但是我們研究發現,Palo Alto Firewall在這個功能的實現上存在問題。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果防火牆無法解析出SNI和Host域名的IP地址,則這條通信流量會直接通過檢測。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於Domain Borrowing來說,SNI和Host可以被設置爲一個不存在的域名(即該域名沒有IP地址),這樣就可以繞過Palo Alto Firewall的檢測。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以img.fontawesome.com爲例","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3a/3af0cd9a767264e101fe8ec14e5e69c1.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"該域名不是一個真實存在的域名,它沒有任何的DNS記錄","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"攻擊者可以在StackPath上註冊img.fontawesome.com的CDN加速服務,並使用img.fontawesome.com作爲SNI和Host,借用StackPath上合法的通配符HTTPS證書*.fontawesome.com進行C2通信。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在檢測設備看來,攻擊者的通信流量就是一個完全合法的高信譽度域名img.fontawesome.com的HTTPS通信流量,並且可以繞過Anti-Spyware Evasion Signatures的檢測。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/a7/a7968c4cc1b12588e2a92d7fa45a96f6.png","alt":"Domain Borrowing: 一種基於CDN的新型隱蔽通信方法(全程乾貨!)","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"該繞過方法已經報告給Palo Alto PSIRT。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"0x05 Covenant Implant Template","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們實現了一個使用Domain Borrowing通信的Covenant[5] Implant Template,希望幫助攻擊方在紅藍對抗中應用Domain Borrowing技術,也希望能夠幫助防守方加強對此類通信流量的檢測能力。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Github Repo: https://github.com/Dliv3/DomainBorrowing","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"0x06 參考資料","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"[1] https://www.icir.org/vern/papers/meek-PETS-2015.pdf[2] https://attack.mitre.org/techniques/T1090/004/[3] https://media.defcon.org/DEF%20CON%2028/DEF%20CON%20Safe%20Mode%20presentations/DEF%20CON%20Safe%20Mode%20-%20Erik%20Hunstad%20-%20Domain%20Fronting%20is%20Dead%20Long%20Live%20Domain%20Fronting.pdf[4] https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/enable-evasion-signatures.html[5] https://github.com/cobbr/Covenant","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最後在多說幾句:我是一名網絡安全工程師,也是剛開始做自媒體","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲了感謝讀者們,我想把我收藏的一些","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"網絡安全/滲透測試學習乾貨","attrs":{}},{"type":"text","text":"貢獻給大家,回饋每一個讀者,希望能幫到你們。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"乾貨主要有:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"① 2000多本網安必看電子書(主流和經典的書籍應該都有了)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"② PHP標準庫資料(最全中文版)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"③ 項目源碼(四五十個有趣且經典的練手項目及源碼)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"④ 網絡安全基礎入門、Linux運維,web安全、滲透測試方面的視頻(適合小白學習)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"⑤ 網絡安全學習路線圖(告別不入流的學習)","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"各位朋友們可以關注+評論一波 然後私信 備註:網安學習 即可免費獲取","attrs":{}}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章