CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Using the InterPlanetary File System For Offensive Operations

Introduction

In this blog post, I intend to provide some insight into using the InterPlanetary File System for offensive purposes. I’ll cover what it is, why we may want to use it, some quick history, and walk through a few examples.

What is the InterPlanetary File System?

According to the InterPlanetary File System’s GitHub account, IPFS is “A peer-to-peer hypermedia protocol designed to make the web faster, safer, and more open.” With IPFS, you can share files, host web applications, and much more over a decentralized peer-to-peer network. IPFS, at its core, is a distributed file-sharing system.

 

Why use it?

Another tool in the toolbox for starters. Every offensive engagement brings new challenges and some variations on what is required to meet the end-goals. Having more ways to host payloads, serve phishing pages, and even utilize a P2P botnet may tip the scales in your (offensive) favor in some instances. Hiding your identity or payload resilience is another bonus. Storing payloads on your server, Pastebin, GitHub, or other public sharing means brings the risk of identification or a takedown of content.

 

A bit of history

IPFS was launched as an alpha version in February 2015. In 2018, a phishing attempt was reported using Cloudflare’s IPFS gateway. Later, in 2019, a new IPFS P2P botnet was discovered, bringing a new vector to Command and Control.

 

Example 1: Hosting a payload

For this installation, I’m using a fresh install of Kali 2019.4. Start by downloading the latest IPFS from https://dist.ipfs.io/#go-ipfs

Extract the files (tar -zxvf go-ipfs_v0.4.22_linux-amd64.tar.gz) and run the install script as root.

 

1

 

Note that after install, I’m running as root but you probably should run IPFS as a non-root user. Create a directory for your files and create our “Get-Process” payload. This command could be replaced with any binary, PowerShell, or any other payload format.

 

2

 

Now, we initialize IPFS.

 

3

 

Finally, we start the IPFS daemon. If you want to work with the configuration file, it’s located at

~/.ipfs/config

The daemon will start syncing with the network. We’ll need to add our file to the network with the “ipfs add test.ps1” command.

 

5

 

The resulting Qm hash is the IPFS address of your file. IPFS is immutable, which means that once a file is hashed, it cannot be changed. If you change your file, you’ll need to re-add it, and you’ll receive a new hash.

 

6

 

There is also a graphical version the daemon starts at localhost:5001/webui if you’d rather use that.

 

7

 

The bad part about IPFS is that it may take several minutes for any file changes to be broadcast to the IPFS network. Until this happens, the relay won’t know where to find your file. If you paste your hash in the browser at https://ipfs.io/ipfs/<QMhash>, you should be able to browse to your payload once it’s been broadcast to the network. Another handy bit of knowledge is that Cloudflare also supports the IPFS network. You may also visit your payload at https://cloudflare-ipfs.com/ipfs/<QMhash>

 

This Is a GIF When Using the Posted Payload

 

Run_powershell

 Hosting a phishing payload

 

In this example, we’ll create and host a phishing payload over IPFS. Start by creating a simple index.html that serves a malicious HTA file.

 

8

 

Next, we’ll create our payload. This one executes calc and closes.

 

9

 

As we’ve done before, we’ll need to add these files to IPFS. In this example, we’ve placed our files in a "/web" directory that we created. Run the “ipfs add -r web” command to hash the files and place them on IPFS.

We’re going to go a step further and publish this site to IPNS. By publishing to IPNS, we set a static hash that can be re-used when we change files. If you modify your files after publishing, simply re-add and publish again. The same hash will be output and you can now browse to https://ipfs.io/ipns/<QMhash>. As you can see, all we had to do was replace "ipfs/" with "ipns/". For further reading on IPNS, check out https://docs.ipfs.io/guides/concepts/ipns/

 

10

 

After publishing and syncing, your site will be browseable on ipns.

 

11

 

There we have it! We’ve created and deployed a phishing page that can be served through IPFS.io, CloudFlare, or direct through your own gateway (left up to the reader).

 

Detection

Well, detection here seems straight-forward. Since these examples require browsing through a gateway, that’s your chokepoint for detection. If you don’t want IPFS traffic on your network, start by blocking ipfs.io and cloudflare-ipfs.com. For self-hosted gateways, you’ll have to rely on creating some rules to detect/block Qm hashes.

 

Conclusion 

In this blog post, I covered what IPFS is, a bit of history, why we may want to use it with some simple use-cases, and how to detect this attack vector. If you’re an offensive operator or defender, hopefully, this post has added another tool to your toolbox.

Latest SpiderLabs Blogs

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

UPDATE: Palo Alto Networks confirmed on Tuesday (4/16) that disabling device telemetry is no longer considered an effective mitigation. On Wednesday (4/17), the company released new threat signatures...

Read More