@botnet_hunter's blog
MarkovObfuscation in a tunneling SOCKS Proxy

In a previous blog post, I detailed a convention I developed in order to use Markov models in order obfuscate data. In this blog post, I will talk about a script, mtunnel, which acts as both ends of a SOCKS tunneling proxy where the transport between the two ends is obfuscated using MarkovObfuscation.

MarkovObfuscation in a tunneling SOCKS Proxy

After I saw folks appeared interested in the MarkovObfuscation blog post, I decided I needed a proof of concept that actually did something. So I started hacking away…

Edward

What I ended up with was a Python 2.7 script which created an obfuscated tunnel which could be used by anything that supported SOCKS4/SOCKS4a interfaces.

The script, mtunnel.py, can be found in the MarkovObfuscation Github repository. This script needs to be run in two locations, local to your local application, and on a remote server (where you are tunneling out to). When the local script is run, it provides an obfuscated tunnel to the remote server which provides a SOCKS4 and SOCKS4a interface in order to allow arbitrary TCP connections out to servers on the other end of the proxy.

MarkovObfuscation mtunnel diagram

Example Usage

On both our local computer and remote computer, we want to download 98.txt (A Tale of Two Cities) from Project Gutenburg into datasets/98.txt:

mkdir datasets
wget http://www.gutenberg.org/files/98/98.txt -O datasets/98.txt

You can use a different book or dataset, just make sure to change the following lines to match your setup (I will make these command line arguments eventually):

https://github.com/bwall/markovobfuscate/blob/master/mtunnel.py#L248-L252

On our local computer, we start up the local tunnel client to connect to our remote server at 178.62.84.249 by providing a SOCKS proxy interface on local port 9051:

bwall@localcomputer:~/markovobfuscate$ python mtunnel.py -r 178.62.84.249 -p 9051

Then we start up our remote server (no connection is made until the SOCKS proxy is attempted to be used):

bwall@remotecomputer:~/markovobfuscate$ python mtunnel.py -s

Then on the local computer, we run curl in order to grab some data…doesn’t really matter where, as long as the remote server can see it:

bwall@localcomputer:~/markovobfuscate$ curl --socks4a 127.0.0.1:9051 https://bwall.github.io/sitemap.xml
<?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">

  <url>
    <loc>https://bwall.github.io/</loc>
    <lastmod>2015-11-21T15:41:07-07:00</lastmod>
    <priority>0</priority>
  </url>

  <url>
    <loc>https://bwall.github.io/markov-chains-keyed-obfuscation/</loc>
    <lastmod>2015-11-21T15:41:07-07:00</lastmod>
  </url>

  <url>
    <loc>https://bwall.github.io/libemu-scapy-for-shellcode-on-the-network/</loc>
    <lastmod>2015-10-11T15:41:07-07:00</lastmod>
  </url>

  <url>
    <loc>https://bwall.github.io/bamfdetect/</loc>
    <lastmod>2015-10-04T17:59:07-07:00</lastmod>
  </url>

  <url>
    <loc>https://bwall.github.io/torque-exploit/</loc>
    <lastmod>2014-06-02T16:19:07-07:00</lastmod>
  </url>

  <url>
    <loc>https://bwall.github.io/extract-hosts/</loc>
    <lastmod>2014-04-18T10:19:07-07:00</lastmod>
  </url>

  <url>
    <loc>https://bwall.github.io/murdering-dexter/</loc>
    <lastmod>2014-03-16T10:19:07-07:00</lastmod>
  </url>

  <url>
    <loc>https://bwall.github.io/herpes-net-3.0-sqli/</loc>
    <lastmod>2014-03-09T10:19:07-07:00</lastmod>
  </url>

  <url>
    <loc>https://bwall.github.io/rsac-2014-botnet-vulnerabilities/</loc>
    <lastmod>2014-03-09T10:19:07-07:00</lastmod>
  </url>

  <url>
    <loc>https://bwall.github.io/multilocker-backdoor/</loc>
    <lastmod>2014-03-09T10:19:07-07:00</lastmod>
  </url>

</urlset>

If we watch this communication in Wireshark, we can see this is the data that is sent over TCP data:

MarkovObfuscation mtunnel PCAP data

Pretty obvious to see that this is not an HTTPS connection. In its current state though, it doesn’t quite look like anything else. This could be converted to look like HTTP traffic, or some other protocol which may go relatively unnoticed.

Enjoy :)

Ed again

Design pdevty