CN116016638A - Communication connection method and device based on C2 server - Google Patents
Communication connection method and device based on C2 server Download PDFInfo
- Publication number
- CN116016638A CN116016638A CN202211702486.4A CN202211702486A CN116016638A CN 116016638 A CN116016638 A CN 116016638A CN 202211702486 A CN202211702486 A CN 202211702486A CN 116016638 A CN116016638 A CN 116016638A
- Authority
- CN
- China
- Prior art keywords
- server
- handshake request
- communication connection
- controlled host
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 title claims abstract description 121
- 238000000034 method Methods 0.000 title claims abstract description 97
- 230000004044 response Effects 0.000 claims abstract description 27
- 238000012795 verification Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 10
- 238000001514 detection method Methods 0.000 abstract description 11
- 230000008447 perception Effects 0.000 abstract description 3
- 230000008569 process Effects 0.000 description 15
- 238000010586 diagram Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 8
- 230000000694 effects Effects 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 239000000523 sample Substances 0.000 description 3
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000035515 penetration Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- CLVFWRBVFBUDQU-UHFFFAOYSA-N 1,4-bis(2-aminoethylamino)-5,8-dihydroxyanthracene-9,10-dione Chemical compound O=C1C2=C(O)C=CC(O)=C2C(=O)C2=C1C(NCCN)=CC=C2NCCN CLVFWRBVFBUDQU-UHFFFAOYSA-N 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000001939 inductive effect Effects 0.000 description 1
- 210000001503 joint Anatomy 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a communication connection method and device based on a C2 server, wherein the method comprises the following steps: receiving a TLS handshake request sent by a controlled host; forwarding the TLS handshake request to the disguised website and receiving response information fed back by the disguised website; identifying whether the TLS handshake request comprises a C2 handshake request; when the TLS handshake request does not include the C2 handshake request, forwarding response information to the controlled host. Therefore, the method and the device can avoid the active detection and identification of the C2 server by the non-controlled host, and simultaneously give the non-controlled host a relay jump without perception, thereby ensuring that the C2 server can normally and effectively perform corresponding work.
Description
Technical Field
The application relates to the technical field of communication, in particular to a communication connection method and device based on a C2 server.
Background
C2 (Command and Control) the server will typically send control instructions and receive the execution results of its feedback based on the network connection with the controlled end program (running on the controlled host). As can be seen, testers typically use C2 servers to provide comprehensive and unified control over multiple penetration test targets, thus deploying further work.
However, in practice, the connection manner of the current C2 server is found to be relatively simple, which makes it easy for many uncontrolled hosts that detect the C2 server for scanning to access the C2 server. But in practice such access is not allowed. Therefore, how to defend the non-controlled host from the scan probe of the C2 server is always one of the problems that the skilled person wants to solve.
Disclosure of Invention
An object of the embodiment of the present application is to provide a communication connection method and device based on a C2 server, which can avoid active detection and identification of a non-controlled host to the C2 server, and simultaneously give the non-controlled host a relay skip without perception, so as to ensure that the C2 server can perform corresponding work normally and effectively.
An embodiment of the present application provides a communication connection method based on a C2 server, including:
receiving a TLS handshake request sent by a controlled host;
forwarding the TLS handshake request to a disguised website and receiving response information fed back by the disguised website;
identifying whether the TLS handshake request comprises a C2 handshake request;
and when the TLS handshake request does not comprise the C2 handshake request, forwarding the response information to the controlled host.
In the implementation process, the method can preferentially receive the TLS handshake request sent by the controlled host; it can be seen that the C2 server may detect the TLS handshake request in real time by man-in-the-middle technology, and trigger execution of the present flow with the TLS handshake request, so that the C2 server may isolate the request of the non-controlled host by man-in-the-middle technology. When the TLS handshake request is detected, the method can forward the TLS handshake request to the disguised website and receive response information fed back by the disguised website; therefore, the method can ensure that the camouflage website is online, thereby ensuring normal relay of TLS handshake. Then, the method re-identifies whether the TLS handshake request includes a C2 handshake request; therefore, the method can further identify whether the TLS handshake request comprises the C2 handshake request, so that the C2 handshake request can be disguised in the TLS handshake request, other hosts are not easy to perceive, the TLS handshake request corresponds to response information of a disguised website, and the non-inductive relay skip is realized all the time, so that the exposure of the C2 server is avoided. Specifically, the method may forward the response information to the controlled host when the TLS handshake request does not include the C2 handshake request; therefore, when the TLS handshake request does not include the C2 handshake request, the method determines that the controlled host is not the real controlled host, and forwards the corresponding result of the disguised website based on the determination result, so that the non-real controlled host can directly access the disguised website, the butt joint of the C2 server is avoided, the exposure of the C2 server is avoided, the connection of the non-real controlled host is effectively isolated, and the normal and effective work of the C2 server is ensured.
Further, the method further comprises:
when the TLS handshake request includes the C2 handshake request, a communication connection between the C2 server and the controlled host is established.
In the implementation process, the method can determine that the controlled host is a real controlled host when determining that the TLS handshake request includes the C2 handshake request, so that a communication connection between the C2 server and the controlled host is established based on the result, so that the C2 server can perform corresponding control on the controlled host based on the communication connection.
Further, when the TLS handshake request includes the C2 handshake request, the step of establishing a communication connection between the C2 server and the controlled host includes:
when the TLS handshake request includes the C2 handshake request, verifying whether the C2 handshake request is a connection establishment request between the controlled host and the C2 server based on a hash verification algorithm;
and when the C2 handshake request is a connection establishment request between the controlled host and the C2 server, establishing communication connection between the C2 server and the controlled host.
In the implementation process, when the TLS handshake request is determined to comprise the C2 handshake request, and in the process of establishing communication connection between the C2 server and the controlled host, the determined C2 handshake request can be subjected to hash verification preferentially, so that the identity of the controlled host is ensured, the identities of other controlled hosts are prevented from being borrowed, and further, the non-real controlled host cannot access the C2 server is ensured. Specifically, the method may establish a communication connection between the C2 server and the controlled host when it is determined that the C2 handshake request is a connection establishment request between the controlled host and the C2 server sent by the controlled host; it can be seen that the identity of the controlled host can be verified through such verification, thereby ensuring the connection accuracy of the C2 server.
Further, when the TLS handshake request includes the C2 handshake request, the step of establishing a communication connection between the C2 server and the controlled host includes:
when the TLS handshake request comprises the C2 handshake request, decrypting the C2 handshake request based on an encryption algorithm to obtain a decryption request;
and establishing communication connection between the C2 server and the controlled host based on the decryption request.
In the implementation process, when the TLS handshake request is determined to comprise the C2 handshake request, the method can decrypt the C2 handshake request based on an encryption algorithm preferentially in the process of establishing communication connection between the C2 server and the controlled host to obtain a decryption request; then, based on the decryption request, a communication connection between the C2 server and the controlled host is established. Therefore, the encryption algorithm can further ensure the establishment security between the C2 server and the controlled host, and can realize the re-verification effect of the round based on different encryption algorithms, so that the connection of the C2 server and the true and effective controlled host is ensured.
Further, the method further comprises:
and carrying out encryption communication with the controlled host based on the communication connection.
In the implementation process, the method can carry out encrypted communication with the controlled host based on the communication connection. Therefore, the method can continue to communicate in an encrypted form after the communication connection between the C2 server and the controlled host is established, so that the safety of communication is ensured; meanwhile, the method can realize the effect of continuous disguising based on the encryption, so that the control process of the C2 server is placed behind a curtain, the concealment of the C2 server is further guaranteed, and meanwhile, the normal operation of the C2 server is not influenced.
The second aspect of the embodiments of the present application provides a communication connection device based on a C2 server, where the communication connection device based on the C2 server includes:
the receiving unit is used for receiving the TLS handshake request sent by the controlled host;
the forwarding unit is used for forwarding the TLS handshake request to a disguised website and receiving response information fed back by the disguised website;
an identifying unit, configured to identify whether the TLS handshake request includes a C2 handshake request;
and the sending unit is used for forwarding the response information to the controlled host when the TLS handshake request does not comprise the C2 handshake request.
In the implementation process, the device can receive a TLS handshake request sent by the controlled host through the receiving unit; forwarding the TLS handshake request to the disguised website through a forwarding unit, and receiving response information fed back by the disguised website; identifying whether the TLS handshake request comprises a C2 handshake request or not through an identification unit; and forwarding response information to the controlled host by the sending unit when the TLS handshake request does not comprise the C2 handshake request. Therefore, the device can avoid the active detection and identification of the non-controlled host to the C2 server, and simultaneously gives the non-controlled host a relay jump without perception, thereby ensuring that the C2 server can normally and effectively perform corresponding work.
Further, the communication connection device based on the C2 server further comprises:
and the establishing unit is used for establishing communication connection between the C2 server and the controlled host when the TLS handshake request comprises the C2 handshake request.
Further, the establishing unit includes:
a verification subunit, configured to verify, based on a hash verification algorithm, whether the C2 handshake request is a connection establishment request between the controlled host and the C2 server when the TLS handshake request includes the C2 handshake request;
and the establishing subunit is used for establishing communication connection between the C2 server and the controlled host when the C2 handshake request is a connection establishment request between the controlled host and the C2 server.
Further, the establishing unit further includes:
a decryption subunit, configured to decrypt, based on an encryption algorithm, the C2 handshake request to obtain a decryption request when the TLS handshake request includes the C2 handshake request;
the establishing subunit is further configured to establish a communication connection between the C2 server and the controlled host based on the decryption request.
Further, the communication connection device based on the C2 server further comprises:
and the communication unit is used for carrying out encryption communication with the controlled host based on the communication connection.
A third aspect of the embodiments of the present application provides an electronic device, including a memory and a processor, where the memory is configured to store a computer program, and the processor is configured to execute the computer program to cause the electronic device to execute the C2 server-based communication connection method according to any one of the first aspect of the embodiments of the present application.
A fourth aspect of the embodiments of the present application provides a computer readable storage medium storing computer program instructions that, when read and executed by a processor, perform the C2 server-based communication connection method according to any one of the first aspects of the embodiments of the present application.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a communication connection method based on a C2 server according to an embodiment of the present application;
fig. 2 is a flow chart of another communication connection method based on a C2 server according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a communication connection device based on a C2 server according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of another communication connection device based on a C2 server according to an embodiment of the present application;
fig. 5 is an exemplary schematic diagram of a communication connection method using a C2 server according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
Example 1
Referring to fig. 1, fig. 1 is a flow chart of a communication connection method based on a C2 server according to the present embodiment. The communication connection method based on the C2 server comprises the following steps:
s101, receiving a TLS handshake request sent by a controlled host.
In this embodiment, TLS is a widely used security protocol, and HTTPS refers to an HTTP protocol transmitted by TLS, so most websites currently support HTTPS. Wherein the establishment of a TLS connection requires a TLS handshake to be performed for the purpose of exchanging keys and authentication.
S102, forwarding the TLS handshake request to the disguised website and receiving response information fed back by the disguised website.
In this embodiment, the method determines a disguised web site, such as a search engine web site using HTTPS protocol, in the C2 server configuration.
S103, identifying whether the TLS handshake request comprises a C2 handshake request, and if so, ending the flow; if not, step S104 is performed.
S104, forwarding the response information to the controlled host.
In this embodiment, the controlled host is not an actual controlled host, so in order to disguise the C2 server, the method forwards the response information to the controlled host, so that the controlled host may misaccess the disguised website for itself.
In this embodiment, when the non-controlled host accesses the C2 server, if it uses HTTPS protocol, it will be jumped to the disguised legitimate website, thereby preventing active probe identification for C2 services.
In this embodiment, the method applies man-in-the-middle techniques. The man-in-the-middle technology is a technology for intercepting communication contents of two parties on a communication link between the two parties, recording or modifying the communication contents, and forwarding communication data as usual so that the two parties cannot perceive the existence of the man-in-the-middle.
In this embodiment, the method can set a traffic processing mechanism in front of the C2 server based on the above man-in-the-art technology, so that all communication traffic from the outside (including the C2 communication traffic from the controlled end) is processed and distributed by the mechanism. The mechanism works basically the same as normal HTTPS services, but does not handle TLS protocols itself, but rather acts as an unconditional relay to complete HTTPS communication between the client and the disguised website.
In this embodiment, the key technical points related to the method are as follows:
(1) Means of TLS relay are used so that C2 traffic is always established over legitimate TLS sessions.
(2) The TLS relay is used to disguise the C2 server as a legitimate website and any non-C2 traffic will be relayed to the disguised legitimate website.
(3) Authentication and encryption techniques are used to ensure reliable identification of C2 traffic while ensuring communication security.
In this embodiment, the execution subject of the method may be a computing device such as a computer or a server, which is not limited in this embodiment.
In this embodiment, the execution body of the method may be an intelligent device such as a smart phone or a tablet computer, which is not limited in this embodiment.
Therefore, by implementing the communication connection method based on the C2 server described in the embodiment, the C2 communication traffic can be disguised to the greatest extent, so that the communication connection method is characterized by being infinitely close to legal HTTPS traffic, the difficulty in being identified and shielded is improved, and most safety protection equipment such as a firewall can be bypassed. On the other hand, the method can also avoid the active detection and identification of the C2 server by the uncontrolled host to the greatest extent, and relay the corresponding access request to the disguised website when the detection and identification are determined, so that the effect of disguising the C2 server is achieved.
Example 2
Referring to fig. 2, fig. 2 is a flow chart of a communication connection method based on a C2 server according to the present embodiment. The communication connection method based on the C2 server comprises the following steps:
s201, receiving a TLS handshake request sent by a controlled host.
In this embodiment, TLS is a widely used security protocol, and HTTPS refers to an HTTP protocol transmitted by TLS, so most websites currently support HTTPS. Wherein the establishment of a TLS connection requires a TLS handshake to be performed for the purpose of exchanging keys and authentication.
In this embodiment, the C2 server receives a legal TLS handshake request generated by the controlled host. This process differs from a conventional TLS session in that its Client Hello message is embedded with a C2 handshake message encapsulated using the message authentication or authentication encryption techniques described herein, which C2 handshake message is used to notify the C2 server that the controlled host is online.
S202, forwarding the TLS handshake request to the disguised website and receiving response information fed back by the disguised website.
In this embodiment, the method determines a disguised web site, such as a search engine web site using HTTPS protocol, in the C2 server configuration.
In this embodiment, the method may request to resolve the domain name of the disguised website in advance, and obtain and store the IP address of the disguised website for subsequent use.
In this embodiment, the controlled host receives the TLS handshake response forwarded by the C2 server, that is, a complete TLS handshake has been completed. Thus, the host being controlled has now established a communication connection with a certain server. It can be seen that this procedure can guarantee the establishment of a communication connection.
S203, identifying whether the TLS handshake request comprises a C2 handshake request, if so, executing a step S204; if not, step S208 is performed.
In this embodiment, when receiving the TLS handshake request sent by the controlled host, the C2 server performs steps S202 and S203 simultaneously. In the specific application process, the normal correspondence of the TLS handshake request is ensured, so that the controlled host can be connected to the disguised website whenever possible; the method comprises the steps of determining whether a real host is a controlled host or not, and performing corresponding communication after masquerading the website according to actual conditions. Meanwhile, the method verifies that the message comes from the controlled host, decrypts the C2 handshake request, and confirms whether the controlled host is online according to the C2 handshake request, so as to judge whether the corresponding C2 communication connection is to be established.
S204, verifying whether the C2 handshake request is a connection establishment request between the controlled host and the C2 server based on a hash verification algorithm, if so, executing steps S205-S207; if not, step S208 is performed.
In this embodiment, message authentication (e.g., HMAC) is a cryptographic means of verifying the source of a message, which may be implemented by digital signatures or using a pre-shared key plus hash algorithm. The correct use of message authentication can ensure the reliability of the source of the message, i.e. without tampering.
In this embodiment, the authentication performed based on the hash authentication algorithm may be the message authentication described above.
S205, decrypting the C2 handshake request based on an encryption algorithm to obtain a decryption request.
In this embodiment, authentication encryption (e.g., AEAD) is a cryptographic application technology that encrypts message content while ensuring message integrity and source reliability, and it sends a message tag generated by a specific algorithm together with the encrypted message, and a receiver can verify and decrypt the message by using the tag and a pre-negotiated key by a corresponding algorithm, so as to ensure that the message is from a agreed sender and has not been tampered.
In this embodiment, the encryption in this method may employ the authentication encryption technique described above.
In this embodiment, the verification and encryption in the above steps complement each other, and may be performed during the verification, or may be performed during the encryption. Specifically, the order between the two is not limited in this embodiment, as will be exemplified later.
S206, based on the decryption request, establishing communication connection between the C2 server and the controlled host.
As an alternative embodiment, the method may be performed in the order of steps s205→s206→s204. Specifically, the flow is as follows:
when the TLS handshake request comprises a C2 handshake request, decrypting the C2 handshake request based on an encryption algorithm to obtain a decryption request;
verifying whether the decryption request is a connection establishment request between the controlled host and the C2 server based on a hash verification algorithm;
and when the decryption request is a connection establishment request between the controlled host and the C2 server, establishing communication connection between the C2 server and the controlled host.
By implementing the implementation mode, two application modes of verification before decryption and decryption before verification can be realized, so that the flexibility of the application of the method is ensured. It should be noted that in the method of authentication and then decryption, the authentication is an encryption request; in the method of decrypting before verifying, the decryption request is verified.
S207, the encrypted communication is carried out with the controlled host based on the communication connection, and the process is ended.
In this embodiment, the controlled host may perform C2 communication with the C2 server using the communication connection (also referred to as a communication tunnel), where the communication content may be processed by the authentication encryption technology.
S208, forwarding the response information to the controlled host.
In this embodiment, the controlled host is not an actual controlled host, so in order to disguise the C2 server, the method forwards the response information to the controlled host, so that the controlled host may misaccess the disguised website for itself.
In this embodiment, when the non-controlled host accesses the C2 server, if it uses HTTPS protocol, it will be jumped to the disguised legitimate website, thereby preventing active probe identification for C2 services.
In this embodiment, the method can set a traffic processing mechanism in front of the C2 server based on the above man-in-the-art technology, so that all communication traffic from the outside (including the C2 communication traffic from the controlled end) is processed and distributed by the mechanism. The mechanism works basically the same as normal HTTPS services, but does not handle TLS protocols itself, but rather acts as an unconditional relay to complete HTTPS communication between the client and the disguised website.
Referring to fig. 5, fig. 5 shows a normal communication flow of 1→2→3, and also shows an abnormal communication flow of 1→2→4.
For example, a penetration tester controls a host using the C2 framework designed by the present method and sets https:// www.baidu.com as the camouflage website according to the above procedure. The controlled host requests to resolve the hundred-degree website domain name and starts to send a corresponding TLS handshake request to the C2 server. At this point, the C2 server receives the request, it forwards the TLS handshake to hundred degrees, and forwards a reply of hundred degrees back to the controlled end, causing it to complete the TLS handshake. And simultaneously, verifying and decrypting the C2 handshake request from the request, confirming that the host is online, and establishing a communication tunnel with the host. So far, the C2 communication has been established. The external traffic appears as HTTPS encrypted communications with a hundred degrees search engine.
In this embodiment, the execution subject of the method may be a computing device such as a computer or a server, which is not limited in this embodiment.
In this embodiment, the execution body of the method may be an intelligent device such as a smart phone or a tablet computer, which is not limited in this embodiment.
Therefore, by implementing the communication connection method based on the C2 server described in the embodiment, the C2 communication traffic can be disguised to the greatest extent, so that the communication connection method is characterized by being infinitely close to legal HTTPS traffic, the difficulty in being identified and shielded is improved, and most safety protection equipment such as a firewall can be bypassed. On the other hand, the method can also avoid the active detection and identification of the C2 server by the uncontrolled host to the greatest extent, and relay the corresponding access request to the disguised website when the detection and identification are determined, so that the effect of disguising the C2 server is achieved.
Example 3
Referring to fig. 3, fig. 3 is a schematic structural diagram of a communication connection device based on a C2 server according to the present embodiment. As shown in fig. 3, the C2 server-based communication connection device includes:
a receiving unit 310, configured to receive a TLS handshake request sent by a controlled host;
a forwarding unit 320, configured to forward the TLS handshake request to the disguised website, and receive response information fed back by the disguised website;
an identifying unit 330, configured to identify whether the TLS handshake request includes a C2 handshake request;
a sending unit 340, configured to forward the response information to the controlled host when the TLS handshake request does not include the C2 handshake request.
In this embodiment, the explanation of the communication connection device based on the C2 server may refer to the description in embodiment 1 or embodiment 2, and the description is not repeated in this embodiment.
Therefore, the communication connection device based on the C2 server described in the embodiment can disguise the C2 communication traffic to the greatest extent, so that the communication connection device is characterized by being infinitely close to legal HTTPS traffic, the difficulty in being identified and shielded is improved, and most safety protection devices such as firewalls can be bypassed. On the other hand, the device can also avoid the active detection and identification of the C2 server by the uncontrolled host to the greatest extent, and relay the corresponding access request to the disguised website in a non-sensitive way when the detection and identification are determined, so that the effect of disguising the C2 server is achieved.
Example 4
Referring to fig. 4, fig. 4 is a schematic structural diagram of a communication connection device based on a C2 server according to the present embodiment. As shown in fig. 4, the C2 server-based communication connection device includes:
a receiving unit 310, configured to receive a TLS handshake request sent by a controlled host;
a forwarding unit 320, configured to forward the TLS handshake request to the disguised website, and receive response information fed back by the disguised website;
an identifying unit 330, configured to identify whether the TLS handshake request includes a C2 handshake request;
a sending unit 340, configured to forward the response information to the controlled host when the TLS handshake request does not include the C2 handshake request.
As an alternative embodiment, the communication connection device based on a C2 server further includes:
an establishing unit 350, configured to establish a communication connection between the C2 server and the controlled host when the TLS handshake request includes a C2 handshake request.
As an alternative embodiment, the establishing unit 350 includes:
a verification subunit 351, configured to verify, when the TLS handshake request includes a C2 handshake request, whether the C2 handshake request is a connection establishment request between the controlled host and the C2 server based on a hash verification algorithm;
and a setting-up subunit 352, configured to set up a communication connection between the C2 server and the controlled host when the C2 handshake request is a set-up request between the controlled host and the C2 server.
As an alternative embodiment, the establishing unit 350 further comprises:
a decryption subunit 353, configured to decrypt, when the TLS handshake request includes the C2 handshake request, the C2 handshake request based on an encryption algorithm, to obtain a decryption request;
the establishing subunit 352 is further configured to establish a communication connection between the C2 server and the controlled host based on the decryption request.
As an alternative embodiment, the communication connection device based on a C2 server further includes:
and a communication unit 360, configured to perform encrypted communication with the controlled host based on the communication connection.
In this embodiment, the explanation of the communication connection device based on the C2 server may refer to the description in embodiment 1 or embodiment 2, and the description is not repeated in this embodiment.
Therefore, the communication connection device based on the C2 server described in the embodiment can disguise the C2 communication traffic to the greatest extent, so that the communication connection device is characterized by being infinitely close to legal HTTPS traffic, the difficulty in being identified and shielded is improved, and most safety protection devices such as firewalls can be bypassed. On the other hand, the device can also avoid the active detection and identification of the C2 server by the uncontrolled host to the greatest extent, and relay the corresponding access request to the disguised website in a non-sensitive way when the detection and identification are determined, so that the effect of disguising the C2 server is achieved.
An embodiment of the present application provides an electronic device, including a memory and a processor, where the memory is configured to store a computer program, and the processor is configured to execute the computer program to cause the electronic device to execute a communication connection method based on a C2 server in embodiment 1 or embodiment 2 of the present application.
The present embodiment provides a computer readable storage medium storing computer program instructions that, when read and executed by a processor, perform the C2 server-based communication connection method of embodiment 1 or embodiment 2 of the present application.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners as well. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application, and various modifications and variations may be suggested to one skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A method for communication connection based on a C2 server, the method comprising:
receiving a TLS handshake request sent by a controlled host;
forwarding the TLS handshake request to a disguised website, and receiving response 5 response information fed back by the disguised website;
identifying whether the TLS handshake request comprises a C2 handshake request;
and when the TLS handshake request does not comprise the C2 handshake request, forwarding the response information to the controlled host.
2. The C2 server-based communication connection method according to claim 1, wherein the method further comprises:
when the TLS handshake request includes the C2 handshake request, a communication connection between the C2 server and the controlled host is established.
3. The C2 server-based communication connection method according to claim 2, wherein the step of establishing a communication connection between the C2 server 5 and the controlled host when the TLS handshake request includes the C2 handshake request comprises:
when the TLS handshake request includes the C2 handshake request, verifying whether the C2 handshake request is a connection establishment request between the controlled host and the C2 server based on a hash verification algorithm;
and when the C2 handshake request is a connection establishment request between the controlled host and the C2 server, establishing communication connection between the C2 server and the controlled host.
4. The C2 server-based communication connection method according to claim 2, wherein the step of establishing a communication connection between the C2 server and the controlled host when the TLS handshake request includes the C2 handshake request comprises:
when the TLS handshake request comprises the C2 handshake request, decrypting the C2 handshake request based on an encryption algorithm to obtain a decryption request;
and 5, establishing communication connection between the C2 server and the controlled host based on the decryption request.
5. The C2 server-based communication connection method according to claim 2, further comprising:
and carrying out encryption communication with the controlled host based on the communication connection.
6. A C2 server-based communication connection device, wherein the C2 server-based communication connection device comprises:
the receiving unit is used for receiving the TLS handshake request sent by the controlled host;
the forwarding unit is used for forwarding the TLS handshake request to a disguised website and receiving response information fed back by the disguised website;
an identifying unit, configured to identify whether the TLS handshake request includes a C2 handshake request;
and the sending unit is used for forwarding the response information to the controlled host when the TLS handshake request does not comprise the C2 handshake request.
7. The C2 server-based communication connection of claim 6, further comprising:
and the establishing unit is used for establishing communication connection between the C2 server and the controlled host when the TLS handshake request comprises the C2 handshake request.
8. The C2 server-based communication connection according to claim 7, wherein the establishing unit includes:
a verification subunit, configured to verify, based on a hash verification algorithm, whether the C2 handshake request is a connection establishment request between the controlled host and the C2 server when the TLS handshake request includes the C2 handshake request;
and the establishing subunit is used for establishing communication connection between the C2 server and the controlled host when the C2 handshake request is a connection establishment request between the controlled host and the C2 server.
9. An electronic device comprising a memory for storing a computer program and a processor that runs the computer program to cause the electronic device to perform the C2 server-based communication connection method of any one of claims 1 to 5.
10. A readable storage medium, wherein computer program instructions are stored in the readable storage medium, which when read and executed by a processor, perform the C2 server based communication connection method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211702486.4A CN116016638A (en) | 2022-12-28 | 2022-12-28 | Communication connection method and device based on C2 server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211702486.4A CN116016638A (en) | 2022-12-28 | 2022-12-28 | Communication connection method and device based on C2 server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116016638A true CN116016638A (en) | 2023-04-25 |
Family
ID=86026275
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211702486.4A Pending CN116016638A (en) | 2022-12-28 | 2022-12-28 | Communication connection method and device based on C2 server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116016638A (en) |
-
2022
- 2022-12-28 CN CN202211702486.4A patent/CN116016638A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10305903B2 (en) | Bypassing certificate pinning | |
| US8904558B2 (en) | Detecting web browser based attacks using browser digest compute tests using digest code provided by a remote source | |
| US10157280B2 (en) | System and method for identifying security breach attempts of a website | |
| CN109413076B (en) | Domain name resolution method and device | |
| CN108259406B (en) | Method and system for verifying SSL certificate | |
| JP2017521934A (en) | Method of mutual verification between client and server | |
| CN110198297B (en) | Flow data monitoring method and device, electronic equipment and computer readable medium | |
| CN112711759A (en) | Method and system for preventing replay attack vulnerability security protection | |
| US10348701B2 (en) | Protecting clients from open redirect security vulnerabilities in web applications | |
| US10277576B1 (en) | Diameter end-to-end security with a multiway handshake | |
| US20130103944A1 (en) | Hypertext Link Verification In Encrypted E-Mail For Mobile Devices | |
| Badra et al. | Phishing attacks and solutions | |
| CN113225352A (en) | Data transmission method and device, electronic equipment and storage medium | |
| CN114244522B (en) | Information protection method, device, electronic equipment and computer readable storage medium | |
| CN104410580B (en) | Credible and secure WiFi routers and its data processing method | |
| El‐Hajj | The most recent SSL security attacks: origins, implementation, evaluation, and suggested countermeasures | |
| CA2793422C (en) | Hypertext link verification in encrypted e-mail for mobile devices | |
| CN109587134B (en) | Method, apparatus, device and medium for secure authentication of interface bus | |
| EP1836559B1 (en) | Apparatus and method for traversing gateway device using a plurality of batons | |
| CN116016638A (en) | Communication connection method and device based on C2 server | |
| US11463433B1 (en) | Secure bearer-sensitive authentication and digital object transmission system and method for spoof prevention | |
| CN101626366B (en) | Method, system and relative device for protecting proxy neighbor discovery | |
| CN105871788B (en) | Password generation method and device for login server | |
| Gautam et al. | Passwords Are Meant to Be Secret: A Practical Secure Password Entry Channel for Web Browsers | |
| US11356415B2 (en) | Filter for suspicious network activity attempting to mimic a web browser |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230425 |
|
| RJ01 | Rejection of invention patent application after publication |