Code Fighters

How to use Firefox as a tunnel to bypass any firewall

A crucial element for the Red Team’s task is having stealth to perform the attack, success in the ability to expose an aggressive mindset and a true cracker’s point of view. If the red team wins, they can help building a better defense for the Blue Team in the future. This content on Firefox tunnel to bypass any firewall is meant for good purposes, don’t worry.

You can also listen to the audio version of this article:

At this blog post, the content is about a different attack approach to get remote control of the machine and bypass the firewall. We have a lot of weapons to work in that perspective, something like veil framework, msfvenom… but sometimes following a different path, will generally bring good results.

The objective of the attack is to use Firefox to make all communication between client and server using hookings. This is not impossible, yet DLL injection sometimes can be boring to implement and even harder to make it portable. Did you know that x32 and x64 architecture need different approaches for development? (later I discovered that easyhook api can solve that).

I was studying the firefox internals, reading something about the use of SQLite to work with cookies, and that gave me a different focus.

Look at the following image:

To create a program like firefox tunnel, follow these steps to get started:

  1. The program calls Firefox Browser in hidden mode, sends a URL that contains an evil server and finally that evil server sends a cookie with a command.
  2. Tunnel gets the cookie from evil server (cookie.sqlite) and uses that to call a command shell.
  3. The result of the command shell is used to write a HTML with javascript that auto submits the content result.
  4. The Program then opens a HTML in hidden mode and sends the result of CMD to the evil server.

Take a look:

In order to see this in action I have created a repository with everything you need and even a PoC.

In order to see this in action I have created a repository with everything you need and even a PoC.

Accessing the repository

Read also: Android pre-tests: Basic concepts and an introduction to the topic

Future insights:

  • Insert persistence, using function RegOpenKeyEx() to open path “SoftwareMicrosoftWindowsCurrentVersionRun” and write with function RegSetValueEx() to launch a program automatically at system startup.
  • Use images in I/O using steganography.
  • Running process in hidden mode.
  • Turn tunnel into an unkillable process.

Possible mitigations:

  • Global hooking, to get OpenFile(), CreateFIle() functions and filter argv “cookie.sqlite” and block when programm route is different of firefox.exe.
  • File watch api to monitor the database of cookies.
  • Programm to open database of cookies by periodicity and search evil domain or hosts using query SELECT, that can use black list and uses DELETE query to remove the evil cookie.
  • Consult us for more ideas.

Thank you Nash Leon for introducing me to headless trick.

About author

Articles

A team of professionals, highly connected on news, techniques and information about application security
Related posts
Application SecurityCode Fighters

How to integrate Semgrep on CI/CD's and send findings to Conviso Platform

Nowadays a very common practice is to integrate security scans during the continuous integration and…
Read more
Application SecurityCode Fighters

Writing Secure Code – A Best Practices Guide

Writing secure code involves adopting a set of software development best practices, and a change of…
Read more
Application SecurityCode Fighters

How Subresource Integrity can help to secure your website

Subresource Integrity (SRI) is a technique that can help protect web applications against attacks…
Read more

Deixe um comentário