[Idea Board] Paranoid Mode: SSL Stripping

[HuskyHacks]

LONG TERM PROJECT

Our good friend, president of the Enthusiastic Mollusk Afficianado club himself, @Alh4zr3d, recommended we look into how to mitigate the possibility of SSL proxy/stripping in an environment. This risk is mentioned in passing in the OPSEC section of the Wiki, but not addressed directly.

Some thoughts:

• Though I anticipate that stripping the SSL on the agent's comms will reveal the clear text JSON beneath it, I don't know if that's really the case! We should set up an experiment to do so.
• One approach for this would be that enabling "Paranoid Mode" on the agent would follow all command outputs with one round of AES encryption using a pre-determined key. Then, perhaps the encrypted body is base64 encoded and THEN egresses the network and is posted to the API as one big ol block of B64 characters.
• Then (as a limited POC), the Red Teramer can decode/decrypt manually.
• As a more full feautred POC, a python script on the operator's side can make similar API calls to the Listener page to scan for command blocks with B64, read them off, decode/decrypt, and post the results.

Lots of design space for interesting solutions, and definitely is a lot of work, but I also think it's doable.

[mttaggart]

I don't see the need for SSL stripping at this time. The cleartext is available if you are analyzing the memory of the program in realtime anyhow. In fact, what the concern would be is not stripping SSL, but further encrypting via AES or chacha before send. Then, a decryptor agent would operate on the same Notion page, finding encrypted blocks and decrypting them in realtime.