• This repository has been archived on 02/Mar/2021
  • Stars
    star
    725
  • Rank 62,504 (Top 2 %)
  • Language
    Python
  • License
    MIT License
  • Created almost 5 years ago
  • Updated almost 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

DNS covert channel implant for Red Teams.

WEASEL: A Stealthy DNS Beacon

WEASEL is a small in-memory implant using Python 3 with no dependencies. The beacon client sends a small amount of identifying information about its host to a DNS zone you control. WEASEL server can task clients to execute pre-baked or arbitrary commands.

WEASEL is a stage 1 payload, meant to be difficult to detect and useful for regaining access when your noisy full-featured stages are caught.

Status

  • Has been successfully used on an operation and evaded detections.
  • Client can initialize a session with the server and establish bi-directional communication.
  • Server has a fully working CLI.
  • Client supports a number of functions that the server can task.
  • Client is 5.2KB when minified + obfuscated.
  • Automatic obfuscation is lacking and needs manual fixing (see Limitations in client README).
  • Server does not have multi-player (simultaneous multiple operator) support.

Examples

See usage in client's README and server's README for specific instructions.

To start the server or client, execute the scripts directly or pass them to the Python interpreter.

Ensure the C2 domains each have an NS record with the IP address of the host running server.py.

Requirements

WEASEL requires Python 3.6+.

The client is self-contained and only uses standard libraries, therefore it can be run on macOS, Linux, etc.

The server has a few dependencies from pip, included in server's requirements.txt. The server should be run on Linux, but there is nothing preventing it from running on macOS or other *nix.

Testing / Running in Development

No need to obfuscate and minimize the beacon in this case. Print statements are preserved. As with Usage above, ensure NS records for the domain(s) in servers in beacon.py point to the IP address of server.py.

On the server host:

sudo python3 server.py

On the victim host (can be the same as server):

python3 beacon.py

Architecture

You do not need to understand any of this to use WEASEL.

Beacon communicates over DNS using AAAA queries and answers. It does not use TXT records due to those being known as being used by DNS malware and tunnels. Blue teams often have DNS tunneling detections that alert on large TXT queries.

The client side does not need root to operate, does not use raw sockets, and does not create malformed DNS packets. It uses regular system and language provided interfaces to make DNS requests. The information is encoded + encrypted in the records themselves.

  • A single A record (IPv4 address) can contain 4 bytes of information.
  • A single AAAA record (IPv6 address) can contain 16 bytes of information.
  • CNAME records and hostnames used in queries can contain up to 64 bytes per subdomain and should be no longer than 255 total bytes per RFC. However, SANS DNS detection guidelines say that subdomains longer than 52 characters are suspect. For this reason we limit subdomains to 52 characters (configurable in the code) and we try to use no more subdomains and requests than we need.
  • A response can contain multiple records, up to the size limit of a UDP datagram (65,507 bytes).

This beacon is meant to be low and slow, with little bandwidth. It should tell us which hosts it is on and give us a way to launch further stages as needed, and nothing more. While this does have arbitrary command support, it is not meant to be used as a regular interactive shell or communications channel.

WEASEL is a stage 1 that you leave running, ensuring ongoing access as your full featured (and therefore noisier) stages get caught.

Persistence

WEASEL was initially targeted for high uptime servers where we had a reliable foothold/exploitation vector. Evading forensics was a high priority. As a result, it has no native persistence features.

You can make it persistent by adding its execution to your favorite persistence technique, which is left as an exercise to the reader :)

Protocol and Message Format

Client Request

A request (from the client) is a single AAAA query for a name formatted like:

<preamble><data>.<stream>.<session>.domain.tld

The preamble is 2 bytes. Preamble[0] is that packet's sequence number. Preamble[1] is the total number of packets in that stream.

Data is limited to 50 bytes (configurable) and contains the payload. The payload is base32 encoded with a custom alphabet.

Payload Encoding

First, all 'w' chars are swapped for '-'.

Next, the padding character is swapped from '=' to 'w' to conform to the DNS character set: [a-z0-9] and [-].

We don't swap '=' with '-' directly because the padding will always be at the end of the string, and ending a hostname on '---' is both suspicious and against DNS RFC. This way when a string does have padding it will end on 'www', which is both less suspicious and RFC compliant.

Server Response

A response (from the server) is comprised of one or more AAAA answers.

Each AAAA answer is a 16 byte encrypted payload represented as an IPv6 address using socket.inet_ntop. Answers in a DNS response do not maintain their order in transit, so they are sequenced and reassembled like the client requests.

The transport payload is a string of data elements separated by a ^ character.

Transport Format

Requests and responses follow this format:

<type>|<data>

Type Meaning (sender) AKA Data
0 Acknowledged ACK Random hex
1 Checking in (client) PING Random hex
2 Terminate yourself (server), terminating myself (client) FIN
3 Initialization message (client) SYN `version
4 Reconnect (server) RST
5 Set callback interval (server) seconds
6 Get network interface data eth0 1.2.3.4/24\neth1 fe80:::/64\n...
8 Eval arbitrary Python3 code up to 666 bytes (server), returning first 400 bytes of output (client) EVAL python3 oneliner script
9 Execute arbitrary command up to 666 bytes (server), returning first 400 bytes of output (client) EXEC bash command

Sessions

Sessions are long lived: a client initiates a session when the beacon is first executed and that session should last for the entire time the beacon is active on that client. Note that since the beacon is in-memory and not persistent the session data is stored in that Python process' memory. Any new invocation of the beacon will initiate a new session.

Initiating a session involves the client crafting a message with a uniquely identifying non-data preamble (to signal to the server that this is a new session): the concatenation of a 32 bytes Diffie-Hellman public key and a 16 byte random AES IV.

The server receives this and responds with its own 32 byte public key. At this point the client and server have established a shared session key that will be used for the lifetime of this session to encrypt data payloads using AES-128 in CTR mode. The Diffie-Hellman Ephemeral exchange ensures each client-server connection uses a unique session key with forward secrecy.

Encryption Badness

The crypto is purposefully bad for a number of reasons:

  • We are emulating real attackers who generally have little clue how to build robust crypto systems and are fans of rolling their own
  • The bandwidth of beacon is as low as possible, which means our DHE exchange must be kept very small
  • Non-attribution is important, we don't authenticate the server
  • It is less fun for responders if we use state of the art crypto they can't hope to break

Here are some known issues with the crypto scheme:

  1. Diffie-Hellman modulus p is RFC 3526 Group 5 truncated to the first 32 bytes. Not only does this limit the public and private keys to 32 bytes, but Group 5 is already deprecated and recommended against. I call this bad decision "Group 1".
  2. We use random.randint() for the exponent a instead of a CSPRNG.
  3. We use a small amount of data from os.urandom() for session ID and stream ID generation instead of a UUID, meaning collisions are likely. We account for this by retrying until we get an ID that isn't being used.
  4. The AES-CTR cipher is re-initialized with the same IV (which is long lived like the session key) for every stream. This means that the same plaintext in the same position across streams will produce the same ciphertext.
  5. In AES-CTR the IV is correctly called a nonce, but in our implementation we aren't using the number once so it would be a bit rude to call it that.

Streams

Each message sent between a client and server has to be packetized into max 50 byte packets, in order to stay under that 52 byte limit for common DNS covert channel detections. All packets for a particular message are part of the same stream. Message == Stream.

Streams are identified with a 2 byte random hex number. Recall the client request format is: <preamble><data>.<stream>.<session>.domain.tld

The 2 byte preamble of each packet in the stream has a sequence number and the total number of packets in that stream. This enables the server to know when everything has arrived.

Because this is DNS we're doing this all over UDP, which doesn't provide any guarantees about the order datagrams will arrive. That is why WEASEL has to account for sequencing, reassembly, and tracking multiple streams from many beacons.

Each stream reinitializes a globally shared AES-128-CTR cipher to encrypt/decrypt payloads.

The payload can only be decrypted once a stream is complete (all packets have arrived). If it wasn't for base32, we could decrypt what we have of the message even if we were missing packets (because AES-CTR is a stream cipher) but we cannot base32 decode partial streams. Oh well. By the nature of DNS clients, requests are made multiple times (generally 2 or 4 times) until a response is received, so we have a good probability that we will receive all packets in a stream as each packet should be sent by the client at least twice. If we do drop packets or streams, it isn't a big deal, the beacon will check in again later and will probably have better luck then.

Join the WEASEL community

See the CONTRIBUTING file for how to help out.

License

WEASEL is MIT licensed, as found in the LICENSE file.

More Repositories

1

draft-js

A React framework for building text editors.
JavaScript
22,506
star
2

pop

An extensible iOS and OS X animation library, useful for physics-based interactions.
Objective-C++
19,716
star
3

flux

Application Architecture for Building User Interfaces
JavaScript
17,397
star
4

prepack

A JavaScript bundle optimizer.
JavaScript
14,271
star
5

AsyncDisplayKit

Smooth asynchronous user interfaces for iOS apps.
Objective-C++
13,447
star
6

stetho

Stetho is a debug bridge for Android applications, enabling the powerful Chrome Developer Tools and much more.
Java
12,653
star
7

Shimmer

An easy way to add a simple, shimmering effect to any view in an iOS app.
Objective-C
9,375
star
8

react-360

Create amazing 360 and VR content using React
JavaScript
8,702
star
9

caffe2

Caffe2 is a lightweight, modular, and scalable deep learning framework.
Shell
8,420
star
10

nuclide

An open IDE for web and native mobile development, built on top of Atom
JavaScript
7,816
star
11

KVOController

Simple, modern, thread-safe key-value observing for iOS and OS X.
Objective-C
7,359
star
12

three20

Three20 is an Objective-C library for iPhone developers
Objective-C
7,265
star
13

xctool

An extension for Apple's xcodebuild that makes it easier to test iOS and macOS apps.
Objective-C
6,954
star
14

fbctf

Platform to host Capture the Flag competitions
Hack
6,495
star
15

rebound

A Java library that models spring dynamics and adds real world physics to your app.
Java
5,444
star
16

Keyframes

A library for converting Adobe AE shape based animations to a data format and playing it back on Android and iOS devices.
JavaScript
5,343
star
17

shimmer-android

An easy, flexible way to add a shimmering effect to any view in an Android app.
Java
5,265
star
18

grace

Graceful restart & zero downtime deploy for Go servers.
Go
4,899
star
19

Tweaks

An easy way to fine-tune, and adjust parameters for iOS apps in development.
Objective-C
4,751
star
20

augmented-traffic-control

Augmented Traffic Control: A tool to simulate network conditions
Python
4,331
star
21

fixed-data-table

A React table component designed to allow presenting thousands of rows of data.
JavaScript
4,314
star
22

WebDriverAgent

A WebDriver server for iOS that runs inside the Simulator.
Objective-C
4,096
star
23

huxley

A testing system for catching visual regressions in Web applications.
Python
4,086
star
24

codemod

Codemod is a tool/library to assist you with large-scale codebase refactors that can be partially automated but still require human oversight and occasional intervention. Codemod was developed at Facebook and released as open source.
Python
4,069
star
25

scribe

Scribe is a server for aggregating log data streamed in real time from a large number of servers.
C++
3,932
star
26

FBMemoryProfiler

iOS tool that helps with profiling iOS Memory usage.
Objective-C
3,417
star
27

mention-bot

Automatically mention potential reviewers on pull requests.
JavaScript
3,371
star
28

facebook-php-sdk

This SDK is deprecated. Find the new SDK here: https://github.com/facebook/facebook-php-sdk-v4
PHP
3,289
star
29

origami

A Quartz Composer framework that enables interactive design prototyping without programming.
Objective-C
3,280
star
30

RakNet

RakNet is a cross platform, open source, C++ networking engine for game programmers.
HTML
3,211
star
31

network-connection-class

Listen to current network traffic in the app and categorize the quality of the network.
Java
3,178
star
32

beringei

Beringei is a high performance, in-memory storage engine for time series data.
C++
3,159
star
33

php-graph-sdk

The Facebook SDK for PHP provides a native interface to the Graph API and Facebook Login. https://developers.facebook.com/docs/php
PHP
3,146
star
34

react-native-fbsdk

A React Native wrapper around the Facebook SDKs for Android and iOS. Provides access to Facebook login, sharing, graph requests, app events etc.
Java
2,993
star
35

python-instagram

Python Client for Instagram API
Python
2,966
star
36

conceal

Conceal provides easy Android APIs for performing fast encryption and authentication of data.
C++
2,966
star
37

webscalesql-5.6

WebScaleSQL, Version 5.6, based upon the MySQL-5.6 community releases.
C++
2,954
star
38

ios-snapshot-test-case

Snapshot view unit tests for iOS
Objective-C
2,674
star
39

device-year-class

A library that analyzes an Android device's specifications and calculates which year the device would be considered "high end”.
Java
2,581
star
40

BOLT

Binary Optimization and Layout Tool - A linux command-line utility used for optimizing performance of binaries
2,497
star
41

pfff

Tools for code analysis, visualizations, or style-preserving source transformation.
OCaml
2,439
star
42

fb.resnet.torch

Torch implementation of ResNet from http://arxiv.org/abs/1512.03385 and training scripts
Lua
2,243
star
43

redux-react-hook

React Hook for accessing state and dispatch from a Redux store
TypeScript
2,164
star
44

Surround360

Surround360 is Facebook's open source hardware and software for capturing stereoscopic 3D 360 video for VR. The repo contains hardware designs, as well as software for camera control and rendering.
C++
2,153
star
45

xcbuild

Xcode-compatible build tool.
C++
2,000
star
46

LogDevice

Distributed storage for sequential data
C++
1,888
star
47

MemNN

Memory Networks implementations
Lua
1,757
star
48

rebound-js

Spring dynamics in JavaScript.
JavaScript
1,754
star
49

redis-faina

A query analyzer that parses Redis' MONITOR command for counter/timing stats about query patterns
Python
1,749
star
50

fb-flo

A Chrome extension that lets you modify running apps without reloading them.
JavaScript
1,692
star
51

planout

PlanOut is a library and interpreter for designing online experiments.
JavaScript
1,664
star
52

libphenom

An eventing framework for building high performance and high scalability systems in C.
C
1,662
star
53

flashcache

A general purpose, write-back block cache for Linux.
C
1,601
star
54

python-nubia

A command-line and interactive shell framework.
Python
1,595
star
55

profilo

A library for performance traces from production.
C
1,577
star
56

facebook-swift-sdk

Integrate your iOS apps in Swift with Facebook Platform.
Swift
1,519
star
57

instagram-ruby-gem

The official gem for the Instagram API
Ruby
1,461
star
58

inject

Package inject provides a reflect based injector.
Go
1,393
star
59

Flicks

A unit of time defined in C++.
C++
1,388
star
60

duckling_old

Deprecated in favor of https://github.com/facebook/duckling
Clojure
1,322
star
61

connect-js

Legacy JavaScript SDK
JavaScript
1,237
star
62

atom-in-orbit

Putting Atom in the browser
JavaScript
1,183
star
63

phpsh

A read-eval-print-loop for php
Emacs Lisp
1,160
star
64

C3D

C3D is a modified version of BVLC caffe to support 3D ConvNets.
Jupyter Notebook
1,159
star
65

sublime-react

Sublime Text helpers for React. Syntax highlighting DEPRECATED in favor of babel/babel-sublime
JavaScript
1,144
star
66

fb-adb

A better shell for Android devices
C
1,139
star
67

iTorch

IPython kernel for Torch with visualization and plotting
Jupyter Notebook
1,104
star
68

FBAllocationTracker

iOS library that helps tracking all allocated Objective-C objects
Objective-C++
1,094
star
69

fbcunn

Facebook's extensions to torch/cunn.
Lua
1,069
star
70

emitter

A JS EventEmitter foundation for evented code
JavaScript
1,041
star
71

bistro

Bistro is a flexible distributed scheduler, a high-performance framework supporting multiple paradigms while retaining ease of configuration, management, and monitoring.
C++
1,040
star
72

relay-starter-kit

Barebones starting point for a Relay application.
JavaScript
1,017
star
73

torchnet

Torch on steroids
Lua
992
star
74

react-meteor

React rendering for Meteor apps
JavaScript
953
star
75

atom-ide-ui

A collection of user interfaces for Atom IDE.
JavaScript
936
star
76

NAMAS

Neural Attention Model for Abstractive Summarization
Lua
910
star
77

nifty

Thrift on Netty
Java
899
star
78

swift

An annotation-based Java library for creating Thrift serializable types and services.
Java
889
star
79

bAbI-tasks

Task generation for testing text understanding and reasoning
Lua
886
star
80

hadoop-20

Facebook's Realtime Distributed FS based on Apache Hadoop 0.20-append
Java
876
star
81

loop

A method to generate speech across multiple speakers
Python
872
star
82

IGInterfaceDataTable

A category on WKInterfaceTable that makes configuring tables with multi-dimensional data easier.
Objective-C
837
star
83

mononoke

A Mercurial source control server, specifically designed to support large monorepos.
822
star
84

react-page

Easy Application Development with React JavaScript
JavaScript
795
star
85

f8DeveloperConferenceApp

[Archive] f8 2014 Conference App
HTML
761
star
86

nailgun

Nailgun is a client, protocol, and server for running Java programs from the command line without incurring the JVM startup overhead.
Java
734
star
87

RiftDK1

Firmware, Schematics, and Mechanicals for the Oculus Rift Development Kit 1
C
688
star
88

jcommon

concurrency, collections, stats/analytics, config, testing, etc
Java
677
star
89

proguard

A fork of ProGuard.
Java
661
star
90

bootstrapped

Generate bootstrapped confidence intervals for A/B testing in Python.
Python
631
star
91

ig-lazy-module-loader

Library that implements module lazy loading.
Java
630
star
92

opencompute

A community of engineers whose mission is to design and enable the delivery of the most efficient server, storage and data center hardware designs for scalable computing.
TeX
624
star
93

flint

An open-source lint program for C++ developed by, and formerly used at Facebook.
D
622
star
94

fblualib

Facebook libraries and utilities for Lua
Lua
615
star
95

remodel

Remodel is a tool that helps iOS and OS X developers avoid repetitive code by generating Objective-C models that support coding, value comparison, and immutability.
TypeScript
609
star
96

eyescream

natural image generation using ConvNets
Lua
599
star
97

react-python

Python bridge to JSX & the React JavaScript library.
Python
576
star
98

spacetime

Experimental iOS library for live transformations on parts of layers.
Objective-C
528
star
99

warp

A fast preprocessor for C and C++
D
521
star
100

FBNotifications

Facebook Analytics In-App Notifications Framework
Objective-C
494
star