Blind zones SSL

Blind zones SSL

Today’s threat landscape requires a comprehensive deep security strategy that often includes interception and inspection of traffic within SSL. Since most attacks use some type of encryption, the ability to log and verify encrypted content is vital. SSL inspection work has exceptions for entire categories of sites that can be used by attackers.

Due to the requirements of local privacy laws, many organizations whitelist certain categories of websites (e.g., finance / banking and health care), thus creating problems to investigate potential incidents due to lack of detailed logging.



Attackers can use this loophole after a break-in to install more hidden permanent C2 channels. Proxy server logs do not display full URLs associated to shared C2 profiles, and encrypted traffic cannot be checked for threats within SSL. This makes it possible to transfer dubious binary files, increasing the load on endpoint protection.

How does SSL check work?

SSL validation relies on a proxy server to dynamically issue certificates from trusted websites. All these certificates will have the same issuer and are usually valid from the date of issuance. Since the proxy server now has “SSL trust” installed at both ends, it can now decrypt and verify the contents of the traffic.

Example 1 – SSL certificate for a site that is not on the white list



.

.
Example 2 – SSL certificate for a white list site

.

.

To use ProxyPunch

.
ProxyPunch helps identify SSL blind spots by identifying the issuer of the proxy server certificate. Once this issuer is created, any web sites whose certificate has not been issued by this body must be listed on a white list or white category. ProxyPunch has a built-in list of sites for different categories.

.

.

.

Travel

ProxyPunch determines whether there is an SSL exception for all banking / financial sites. In this example, as in most organizations, access to email websites is not allowed.

.

.
Now we need to find the domain name that belongs to the category “Banking / Finance”. The easiest way to do this is to use the website Expiredomains to find associated expired domains. Once you have registered on ExpiredDomains, you can use the advanced filter to find matching domains. In this example, I searched for .info sites that contain the word Mortgage. I then sorted the search results by column BL (BackLinks) as I found that sites with backlinks are more likely to be correctly classified.

.

.
Before you buy a domain, you should check if it is correctly categorized, because the category is influenced by web content, not words in the domain name. Fortunately, there are a number of online tools that can be used to check categories.

Mcafee
Cyren.

Zvelo.

BrightCloud.

PaloAlto.

The third domain on the list, puremortgage.info, looks promising:

.

.

.

.
A quick check on Namecheap shows that the domain is available (and inexpensive):

After purchasing a domain, configure the web service with Let’s Encrypt certificate. Now you can verify that the proxy is whitelisted for our domain by making sure that we see Let’s Encrypt’s certificate and not the corporate WWW gateway:

.

.
So now we have a site that is on the white list. All traffic passing through the proxy server to this site will not be checked.

As a quick test I used a flexible C2 profile, using a certificate for www.puremortgage.info to see how my beacon traffic was logged (traffic to the control center indicating that the command was ready to execute):

This is how the proxy logs for a white list site look like:

.

.
Compared to a site that is not included in the white list:

.
It should be noted that the paths to SSL Inspection white list sites are not limited to categorization. In my experience, I have seen that certain websites are whitelisted for a number of reasons, for example, with a client application that connects through a proxy, but requires a certain SSL certificate to be authenticated. You can also find misconfigured exceptions with wildcards, such as the ones below, which you can use using matching subdomains in your domain:

windowsupdate.*

    • .microsoft. *

.microsoft

I will leave this topic for the readers to study for themselves…..

ProxyPunch Repo can be downloaded here.

Source



WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


5 Views

0 0 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments


Do NOT follow this link or you will be banned from the site!
0
Would love your thoughts, please comment.x
()
x

Spelling error report

The following text will be sent to our editors: