h1

Stealthy Peer-to-peer C&C over SMB pipes

December 6, 2013

Beacon is my payload for low and slow control of a compromised system. Recently, I added peer-to-peer communication to Beacon. When two Beacons are linked, the child Beacon will get its tasks from and send its output through its parent. Linked Beacons use SMB pipes to communicate. This is a big win for stealth. If a workstation Beacon communicates with a domain controller Beacon over SMB, who would notice?

I invested in this feature for several reasons: I wanted the ability to control an internet isolated host with Beacon. I also wanted to control many compromised systems through one or two egress hosts. And, I thought it would be really cool to tunnel a Meterpreter session over SMB. These things are all doable now.

level3

Cobalt Strike‘s Beacon isn’t the only offensive tool to use named pipes in this way. The Red October malware (see the Kaspersky report) has this feature. The Duqu malware that Symantec analyzed has this ability too. If you want to replicate the C&C styles of advanced threats, Cobalt Strike has you covered.

SMB Named Pipes

Let’s go through how this communication mechanism works. It’s actually pretty easy. A named pipe is an inter-process communication mechanism on Windows.

The CreateNamedPipe function will set up a named pipe. The PIPE_ACCESS_DUPLEX flag makes the named pipe into a bi-directional channel.

HANDLE server;
server = CreateNamedPipe("\\\\.\\pipe\\crack", PIPE_ACCESS_DUPLEX, ...);

The CreateFile function connects to a named pipe.

HANDLE client;
client = CreateFile("\\\\.\\pipe\\crack", GENERIC_READ | GENERIC_WRITE, ...);

Use the ReadFile and WriteFile functions to read data from and send data through a named pipe.

Named pipes become interesting when they communicate between processes on separate hosts. Change the period in the pipe name to an IP address. Now the client will communicate with the pipe on the remote system.

HANDLE client;
client = CreateFile("\\\\192.168.95.18\\pipe\\crack", GENERIC_READ | GENERIC_WRITE, ...);

Named pipe communication between hosts is encapsulated in SMB. Here’s what it looks like in Wireshark.

smbcc

This communication method is not without its constraints. Any system I link to must have port 445 open. If I use a Beacon peer to control a key server, like a domain controller, this isn’t unreasonable. Any Beacon that connects to another Beacon must have an access token or it must establish an SMB session with the target first. This is because Beacon does not create an anonymous pipe. An anonymous pipe would require a change in the registry.

In-Memory Backdoor

For Beacon users, this peer-to-peer technology isn’t just a new data channel. It’s also an opportunity to use Beacon as an in-memory backdoor for Windows hosts.

Once you deliver a Beacon peer to a host (or use mode smb to turn a Beacon into a peer), it creates a named pipe and waits for a connection from another Beacon. You may link to it right away. You don’t have to though. After you link to a Beacon, you may unlink it at any time. When you unlink a Beacon peer, it waits for a connection from another Beacon.

Flexible Tunnels

Tunneling traffic through linked Beacons works like you’d expect. If I create a Meterpreter session, tunneled through a Beacon peer, that traffic will reach Cobalt Strike through the peer’s parent Beacon.

Let’s say I unlink a Beacon peer while tunneling a Meterpreter session through it. Then I quickly link that Beacon peer to another Beacon. What happens to my tunneled session? Nothing. My tunneled session will continue to work. Its traffic will go through the new parent Beacon. This is quite neat. You’re redefining a tunnel’s egress host, on the fly.

There’s a lot of possibility here.

5 comments

  1. Awesome work! Can’t wait to test it out. Have you done any testing on systems that have applied CIS benchmark configurations with restrictions on named pipes?
    Thanks Raphael!


    • Hi Mike,
      I was not familiar with the CIS benchmark configuration, so I had to do some digging to answer this question. I’m looking at the controls prescribed in: https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Benchmark_v1.1.0.pdf sections 1.9.51 and 1.9.53.

      1.9.51 recommends that you query the registry to check the value of NullSessionPipes and check for strange things. This registry value is a whitelist of which pipes allow unauthenticated/anonymous access. When a Beacon links to another Beacon, it must do so from a process associated with a domain account or with an SMB session already established (e.g., via net use). I explicitly create an empty access control list for the Beacon pipe. This allows any *authenticated* user to access the pipe. Because an authenticated user is connecting to the pipe, there is no need for the pipe to appear in a whitelist of pipes that allow null sessions.

      1.9.53 is an option to override the registry value with a GPO that lets you specify which pipes allow unauthenticated/anonymous access. Again, this doesn’t matter to me, as all of my connections are authenticated.

      When I developed this feature, early on, I investigated how to allow anonymous access to the pipe Beacon creates. I wanted to avoid the authentication requirement. When I read MS’s documentation, I realized that anonymous access would require a registry change. I opted to avoid this as I don’t like making changes to configuration or dropping artifacts to disk unless I absolutely have to.

      http://support.microsoft.com/kb/813414

      — Raphael


      • Thank you for this article. I’ve been reversing some root kit malware for a while, and have been wondering why it was using named pipes. Do you have any advice on intercepting the raw bytes being written to the named pipes??

        Thanks.


      • I don’t really have a good answer to give you. If you come up with something that works, do comment on it here for others.


      • Is it possible to link multiple (i.e. chain) SMB beacons this way? Say, when host of interest is multiple hops away and without egress capabilities.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s