Zoltan Balazs, aka @zh4ck and CTO at MRG Effitas, presented “Bypass firewalls, application whitelists, secure remote desktops under 20 seconds” at Def Con 22. The slides are now available (pdf), as well a tool to help bypass hardware firewalls.
Pen testers, or black hats, sometimes come up against a firewall that blocks backdoor Command and Control (C&C) communications. The problem, according to Balazs, is that bad guys can sometimes get around this, but white hats sometimes cannot.
There is in-the-wild malware, Hikit rootkit, that “creates a new network interface (like software firewalls do), ‘catches’ the traffic sent to the legit server service, and if the backdoor communication is found in the traffic, this data flow is handled differently, not by the legit service. At the hardware firewall level, the traffic will be allowed, as it is using the same destination TCP port as the legit service. Thus attackers can bypass hardware firewall restrictions, but not penetration testers. This is a gap between attackers and testers, which had to be closed. The idea of the hwfwbypass tool was born.”
Attackers having admin privileges on Linux/Windows systems can mess with the hardware firewall between the attacker and the server, and use the same ports for backdoor communication as it is allowed in the firewall (e.g. 22, 80, 443, 3389, etc). First, the attacker has to exploit the server, and only after that can bypass the firewall. If you are looking for a tool to bypass a firewall before exploiting a server, this tool won’t help you.
Balazs released the “hwfwbypass” tool, a program can that bypass hardware firewalls. It is “a network filter kernel driver, based on the Windivert project. Admin level privileges are needed to install the tool. The kernel driver is digitally signed with a trusted signature, thanks to Nemea software development and the Windivert project.” There is also a Metasploit post module if you "are lazy."
In a nutshell scenario in which an attacker were low on funds but needed persistent C&C access to a hardened secure remote desktop (RDP) server, Balazs suggested:
- Drop malware into the RDP server.
- Bypass AppLocker, by modifying the AppLocker policies defined in the local Group Policy Object (GPO) in order to execute any code.
- Elevate to admin privileges.
- Bypass hardware firewall.
Is it really that easy? Lord knows I hope not or there will be pwnage everywhere. Here’s a video demonstrating the HW FW bypass kernel driver.
Benefits to using the hwfwbypass “solution” include:
- It is using Windows supported network filter, thus this functionality will work in the future.
- It ships with valid signed driver.
- Any kind of backdoor traffic can be used with the tool. I have tested it with Netcat, Meterpreter TCP bind shell and a RAT with bind shell.
- The server side does not need any specific tools, only the hwfwbypass and the RAT/bind shell. On the client side, one might need NetCat.
Lessons for the blue team defenders, Balazs said, include the knowledge that restricted remote desktop still presents a “real interface for malware infection.” He added that you should use a next-generation (application/protocol-aware) firewall instead of port based one. He advised blue team members not to trust your firewall logs.
For the red team attackers, he released two tools for post exploitation; one drops malware into the remote desktop. If you have admin privileges on a Windows server, you can bypass/fool hardware firewalls using his driver. Balazs also noted, “If there is a network address translation (NAT) between the attacker and the server, the tool won’t work.”
When describing his presentation, Balazs said, “My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on web server behind restricted DMZ.”
Happy hacking and counter-hacking.