Abusing Webhooks for Command and Control

BSidesLV 2017

Presented by: Dimitry Snezhkov
Date: Wednesday July 26, 2017
Time: 12:00 - 12:25
Location: Breaking Ground

You are on the inside of the perimeter. And maybe you want to exfiltrate data, download a tool, or execute commands on your command and control server (C2). Problem is - the first leg of connectivity to your C2 is denied. Your DNS and ICMP traffic is being monitored. Access to your cloud drives is restricted. You've implemented domain fronting for your C2 only to discover it is ranked low by the content proxy, which is only allowing access to a handful of business related websites on the outside.

We have all been there, seeing frustrating proxy denies or triggering security alarms making our presence known.
Having more choices when it comes to outbound network connectivity helps. In this talk we'll present a technique to establish such connectivity with the help of HTTP callbacks (webhooks). We will walk you through what webhooks are, how they are used by organizations. We will then discuss how you can use approved sites as brokers of your communication, perform data transfers, establish almost realtime asynchronous command execution, and even create a command-and-control communication over them, bypassing strict defensive proxies, and even avoiding attribution.

Finally, we’ll show the tool that will use the concept of a broker website to work with the external C2 using webhooks.

Dimitry Snezhkov

Sr. Security Consultant for X-Force Red at IBM, currently focusing on offensive security testing, code hacking and tool building.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats