Table of contents
1. Ice Scorpion 4.0☕️
Ice Scorpion is a 基于Java开发new type of Webshell client that dynamically encrypts communication traffic. Because communication traffic is encrypted, traditional WAF and IDS devices are difficult to detect, which brings great challenges to threat hunting. The biggest feature of Ice Scorpion is the symmetric encryption of interactive traffic, and the encryption key is dynamically generated by a random number function, so the traffic of this client is almost impossible to detect
At the same time, compared with version 3.0, Ice Scorpion v4.0 has updated a lot of content, including the opening of the custom function of the transmission protocol
download link:https://github.com/rebeyond/Behinder/releases
2. Traffic characteristic problem☕️
At the traffic layer, the AES feature of Ice Scorpion has always been the focus of manufacturers' detection and killing. At the host layer, the AES-related API is also a strong feature. Since it is a feature, there must be an unchanging constant, so let's generalize this feature and make it a variable. In order to solve this problem once and for all, the v4.0 version provides 传输协议自定义functions that allow users to customize the encryption and decryption of traffic, and realize the decentralization of traffic encryption and decryption protocols. The v4.0 version no longer has the concept of connection password, the algorithm of your custom transmission protocol is the connection password
3. Workflow☕️
Take a look at the flow chart of Ice Scorpion Payload circulation:
1. Locally encrypt the Payload, and then send it to the remote server through a POST request;
2. After receiving the Payload ciphertext, the server uses the decryption algorithm to decrypt it;
3. The server executes the decrypted Payload and obtains the execution result;
4. The server encrypts the Payload execution result and returns it to the local client;
5. After the client receives the response ciphertext, it decrypts it using a decryption algorithm to obtain the plaintext of the response content.
It can be seen from the above process that a complete transmission protocol consists of two parts, 本地协议和远程协议. Since the client is developed in Java, the encryption and decryption algorithms of the local protocol need to be implemented in Java. The remote protocol may be Java, PHP, C#, ASP according to the language type of the server. No matter which language is used, for the transmission protocol with the same name, the local and remote encryption and decryption logic should be consistent, so that after local encryption, remote can successfully decrypt, and after remote encryption, local can also decrypt (so if you modify The key of the default aes protocol, you need to modify the local and remote encryption function and the key in the encryption function at the same time)
A transmission protocol must contain a pair of local encryption and decryption functions, and at least a pair of remote encryption and decryption functions (one or more of Java, PHP, C#, ASP)
本地加解密The following are functions and functions in the transport protocol 远程加解密:
EncryptThe names of the encryption and decryption functions of the transport protocol are and respectively Decrypt, and both have only one input parameter, and the parameter type is a binary byte stream. In the encryption body of the function, any encryption can be performed on the byte stream, such as aes, rsa, or various encapsulation, splicing, custom algorithms, etc., and finally the encrypted result will be returned. In the decryption function, use the symmetric algorithm to decrypt the result of the encryption function, and return the decryption result
4. Demonstration process☕️
It can be noticed that the Ice Scorpion v4.0 version does not come with server code, because the encryption and decryption functions are not fixed, so the server is also dynamically generated
Run Ice Scorpion in the command line environment
java -jar Behinder.jar
Open the following GUI interface
To generate a Trojan horse, click the transmission protocol in the upper left corner, then select default_aes协议, click Generate Server, you can create a server server file, and generate a Trojan horse file at the same time
In order to facilitate the consistency verification of encryption and decryption, Ice Scorpion provides an instant encryption and decryption verification function. After inputting the encryption and decryption functions, it can be verified directly at the bottom of the window
Generate the Trojan horse in the server server file
Upload the generated one PHP木马文件to the website in the PHP environment, and then on the tool page, right-click to add a new shell, determine the uploaded URL of the Trojan file, the uploaded script type, and the protocol of the generated script, and save it.
If the connection is successful, it will show connected
The new functions here are considered to be relatively good, 平行空间and there are also some extended functions
5. Flow detection☕️
1. Accept field
traffic characteristics
Accept: application/json, text/javascript, */*; q=0.01
Detection idea:
browsers can accept any file, but application/json and text/javascript are most preferred
2. Content-Type
traffic characteristics
Content-type: Application/x-www-form-urlencoded
Detection idea:
You can use this field as a weak feature to assist other features to detect
3. User-agent field
traffic characteristics
Ice Scorpion has set up 10 kinds of User-Agents, and each time it connects to the shell, it will randomly select one to use.
Detection idea:
Adding the fast_pattern keyword after a shorter and simpler content field will give priority to matching this content, avoiding wasting too much time On matching user-agent
Snort can be written with content: "User-Agent"; content: "browser version" to match the corresponding ten browsers
4. Port
traffic characteristics
While the ice scorpion establishes a connection with the webshell, javaw also establishes a tcp connection with the destination host. Each connection uses a local port of about 49700 (a relatively large port). Every time a connection is made, and every time a new connection is established, the port will increase in turn.
Detection idea:
alarms can be sent to ports within this range
5. There are fixed code
traffic characteristics in PHP webshell
$post=Decrypt(file_get_contents("php://input"));
eval($post);
Detection idea:
In the content field, include eval($post) as a traffic feature
6. Long connection
traffic characteristics
Ice Scorpion communication uses long connection by default, which avoids the resource overhead caused by frequent handshakes. By default, Connection will be included in the request header and response header
Connection: Keep-Alive
Detection idea:
can be used as auxiliary traffic characteristics
7. Connection password
Traffic characteristics:
By default, all Ice Scorpion 4.0 webshells have e45e329feb5d925ba string of keys, the key is the first 16 digits of the 32-digit md5 value of the connection password, and the default connection password is rebeyond
8. Webshell features
JSP webshell code features
PHP webshell code characteristics
9. Request and response
traffic characteristics
☕️Reference article:
1. Detailed explanation of the Ice Scorpion v4.0 transmission protocol
2. Ice Scorpion 4.0 feature analysis and traffic detection ideas