In a previous blog post, I detailed a convention I developed in order to use Markov models in order obfuscate data. In this blog post, I will talk about a script, mtunnel, which acts as both ends of a SOCKS tunneling proxy where the transport between the two ends is obfuscated using MarkovObfuscation.
MarkovObfuscation in a tunneling SOCKS Proxy
After I saw folks appeared interested in the MarkovObfuscation blog post, I decided I needed a proof of concept that actually did something. So I started hacking away…
What I ended up with was a Python 2.7 script which created an obfuscated tunnel which could be used by anything that supported SOCKS4/SOCKS4a interfaces.
The script, mtunnel.py, can be found in the MarkovObfuscation Github repository. This script needs to be run in two locations, local to your local application, and on a remote server (where you are tunneling out to). When the local script is run, it provides an obfuscated tunnel to the remote server which provides a SOCKS4 and SOCKS4a interface in order to allow arbitrary TCP connections out to servers on the other end of the proxy.
On both our local computer and remote computer, we want to download 98.txt (A Tale of Two Cities) from Project Gutenburg into datasets/98.txt:
mkdir datasets wget http://www.gutenberg.org/files/98/98.txt -O datasets/98.txt
You can use a different book or dataset, just make sure to change the following lines to match your setup (I will make these command line arguments eventually):
On our local computer, we start up the local tunnel client to connect to our remote server at 126.96.36.199 by providing a SOCKS proxy interface on local port 9051:
bwall@localcomputer:~/markovobfuscate$ python mtunnel.py -r 188.8.131.52 -p 9051
Then we start up our remote server (no connection is made until the SOCKS proxy is attempted to be used):
bwall@remotecomputer:~/markovobfuscate$ python mtunnel.py -s
Then on the local computer, we run curl in order to grab some data…doesn’t really matter where, as long as the remote server can see it:
bwall@localcomputer:~/markovobfuscate$ curl --socks4a 127.0.0.1:9051 https://bwall.github.io/sitemap.xml <?xml version="1.0" encoding="utf-8" standalone="yes" ?> <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"> <url> <loc>https://bwall.github.io/</loc> <lastmod>2015-11-21T15:41:07-07:00</lastmod> <priority>0</priority> </url> <url> <loc>https://bwall.github.io/markov-chains-keyed-obfuscation/</loc> <lastmod>2015-11-21T15:41:07-07:00</lastmod> </url> <url> <loc>https://bwall.github.io/libemu-scapy-for-shellcode-on-the-network/</loc> <lastmod>2015-10-11T15:41:07-07:00</lastmod> </url> <url> <loc>https://bwall.github.io/bamfdetect/</loc> <lastmod>2015-10-04T17:59:07-07:00</lastmod> </url> <url> <loc>https://bwall.github.io/torque-exploit/</loc> <lastmod>2014-06-02T16:19:07-07:00</lastmod> </url> <url> <loc>https://bwall.github.io/extract-hosts/</loc> <lastmod>2014-04-18T10:19:07-07:00</lastmod> </url> <url> <loc>https://bwall.github.io/murdering-dexter/</loc> <lastmod>2014-03-16T10:19:07-07:00</lastmod> </url> <url> <loc>https://bwall.github.io/herpes-net-3.0-sqli/</loc> <lastmod>2014-03-09T10:19:07-07:00</lastmod> </url> <url> <loc>https://bwall.github.io/rsac-2014-botnet-vulnerabilities/</loc> <lastmod>2014-03-09T10:19:07-07:00</lastmod> </url> <url> <loc>https://bwall.github.io/multilocker-backdoor/</loc> <lastmod>2014-03-09T10:19:07-07:00</lastmod> </url> </urlset>
If we watch this communication in Wireshark, we can see this is the data that is sent over TCP data:
Pretty obvious to see that this is not an HTTPS connection. In its current state though, it doesn’t quite look like anything else. This could be converted to look like HTTP traffic, or some other protocol which may go relatively unnoticed.