July 24, 2022 at 6:46 AM I'm writing a backdoor program with Golang. I want to hide the traffic during the communication between controlled side and c2 server, making it looks like normal traffic. I have googled this problem but the answers are not good enough. :( Do you guys have any idea about that? I just need a thought. Some code will be best, however =) :P July 24, 2022 at 11:27 AM It would depend what operating system you are trying to hide it from? Or do you mean hiding it if someone is just sniffing the traffic? If you want to hide it from network sniffing then you could have it encrypted and going over HTTPS for example. Hiding from an operating system, then you would either have to patch a program you want to hide it from, or patch the kernel so it's more generic and hidden from all programs. July 25, 2022 at 6:09 AM You could try using a popular service to act as your C2 e.g have you program get its commands from google drive or the like since when doing traffic analysis it will just look like a normal user downloading something of google. Or if your talking about securing your actual traffic HTTPS / encryption is standard July 25, 2022 at 12:31 PM (July 24, 2022, 11:27 AM)br34chm4n Wrote: It would depend what operating system you are trying to hide it from? Or do you mean hiding it if someone is just sniffing the traffic? If you want to hide it from network sniffing then you could have it encrypted and going over HTTPS for example. Hiding from an operating system, then you would either have to patch a program you want to hide it from, or patch the kernel so it's more generic and hidden from all programs. Thank u so much for answering! I just have to hide my traffic from sniffing. To hide it from other programs, I will write a simple rootkit. btw, if I use https protocol to encrypt the traffic, is it possible to show a fake "harmless" page to normal users in order to cover the c2. (July 25, 2022, 06:09 AM)DataDumper Wrote: You could try using a popular service to act as your C2 e.g have you program get its commands from google drive or the like since when doing traffic analysis it will just look like a normal user downloading something of google. Thanks, I think some social networking sites can be a good C2 :) July 25, 2022 at 1:16 PM (July 25, 2022, 12:31 PM)slyat Wrote: Thank u so much for answering! I just have to hide my traffic from sniffing. To hide it from other programs, I will write a simple rootkit. Yes sure.. as people could see the IP being connected to, just have that show a normal site by default. To interact with any C2 code, then your requests to the web server could have a certain cookie or headers set, and if those don't exist in the request, do not return anything C2 related... even if they accessed a C2 URL on the server. July 25, 2022 at 1:18 PM (July 25, 2022, 01:16 PM)br34chm4n Wrote:(July 25, 2022, 12:31 PM)slyat Wrote: Thank u so much for answering! I just have to hide my traffic from sniffing. To hide it from other programs, I will write a simple rootkit. THANK u! July 25, 2022 at 1:44 PM I'm surprised at how low the skiddery level is here. I gotta say, well done, I'm impressed. Of course I already knew all of this stuff, don't get me wrong, I just wasn't expecting anything other than absolute aids as we usually get in these sort of threads. #databreach #RIU July 26, 2022 at 12:22 AM You could try to use different protocols to hide the traffic. You mentioned that you're using HTTPS, which is good because it is going to hide amongst some of the legit traffic. I did see some time ago malware using DNS in order to create a reverse shell. The exact same concept can be used here in order to be able to hide the traffic. I also spoke to some people and read about the "Symbiote" malware. This is able to hide its own packets by using eBPF—this is a packet filtering technique, so it can hide the packets from things like TCPDUMP or WIRESHARK. There is some "fuckery" going on with injecting itself into the bytecode of eBPF... not 100% sure on this as networking as a whole is not my speciality, but none the less, I found it extremely interesting. July 26, 2022 at 4:36 AM (July 26, 2022, 12:22 AM)FemboyFucker Wrote: You could try to use different protocols to hide the traffic. You mentioned that you're using HTTPS, which is good because it is going to hide amongst some of the legit traffic. I did see some time ago malware using DNS in order to create a reverse shell. The exact same concept can be used here in order to be able to hide the traffic. I also spoke to some people and read about the "Symbiote" malware. This is able to hide its own packets by using eBPF—this is a packet filtering technique, so it can hide the packets from things like TCPDUMP or WIRESHARK. There is some "fuckery" going on with injecting itself into the bytecode of eBPF... not 100% sure on this as networking as a whole is not my speciality, but none the less, I found it extremely interesting. Your Reply is really helpful. You mentioned the "symbiote" malware, Just now, I read the report of it from Blackberry in this url , Many ways of avoiding detection were described, which helped me a lot. I am going to write a lite ROOTKIT in C, than use the rootkit to hide the backdoor itself and the behavior of it. Thanks a lot for answering. =) July 27, 2022 at 1:06 PM (July 24, 2022, 06:46 AM)slyat Wrote: I'm writing a backdoor program with Golang. I want to hide the traffic during the communication between controlled side and c2 server, making it looks like normal traffic. I have googled this problem but the answers are not good enough. :( https tunnel? |
