Firefox tunnel

How to use Firefox as a tunnel to bypass any firewall - 27/01/2018

Art by Arnie Swekel

Etymology

Hello ladies and gentlemen of my technical tavern, we will remember an old project in this post. I developed and created. So I am grateful for CONVISO application security, a Brazilian cybersecurity consulting firm, for the great space with many excellent hackers and great wisdom in the internal compendium. This tool was written five years ago when I was working in CONVISO. Looking at that fact, I share the original post from CONVISO here.

A crucial element of the Red Team’s task. It has stealth to perform the attack, success in the ability to expose an aggressive mindset and a proper cracker’s point of view. If the red team wins, they can help build a better defence for the Blue Team in the future. This content on Firefox tunnel to bypass any firewall is meant for good purposes, don’t worry.

How to use Firefox as a tunnel to bypass any firewall

On this gitbook page, the content is about a different attack approach to get remote control of the machine and bypass the firewall. We have a lot of weapons to work in that perspective, something like veil framework, msfvenom and soon, but sometimes following a different path, will generally bring good results.

The objective of the attack is to use Firefox to make all communication between client and server using hooks. This is not impossible, yet DLL injection sometimes can be boring to implement and even harder to make and turn portable. Did you know that x32 and x64 architecture need different approaches for development? (later, I discovered that easyhook api could solve the proper condition between x32 and x64 DLL).

I was studying the firefox internals and reading something about the use of SQLite to work with cookies, and that gave me a different focus.

Look at the following image:

To create a program like a firefox tunnel, follow these steps to get started:

1. The program calls Firefox Browser in hidden mode, sends a URL that contains an evil server and finally, that evil server sends a cookie with a command.

2. The tunnel gets the cookie from the evil server (cookie.sqlite) and uses that to call a command shell.

3. The result of the command shell is used to write an HTML with javascript that auto submits the content result.

4. The Program then opens an HTML in hidden mode and sends the result of CMD to the evil server.

Take a look:

So to see this in action, I have created a repository with everything you need and a PoC.

Accessing the repository!

GitHub - CoolerVoid/firefox_tunnel: The way to use firefox to make a tunnel to remote communication, bypass any firewallGitHub

Proof of concept

Future insights

• Insert persistence, using function RegOpenKeyEx() to open path “SoftwareMicrosoftWindowsCurrentVersionRun” and write with function RegSetValueEx() to launch a program automatically at system startup.

• Use images in I/O using steganography.

• Running process in hidden mode.

• Turn tunnel into an unkillable process.

Possible mitigations

• Global hooking, to get OpenFile(), CreateFIle() functions and filter argv “cookie.sqlite” and block when programm route is different of firefox.exe.

• File watch API to monitor the database of cookies.

• Programm to open database of cookies by periodicity and search evil domain or hosts using query SELECT, that can use black list and uses DELETE query to remove the evil cookie.

• Consult us for more ideas.

Thank you Nash Leon for introducing me to headless trick.

Thank you for reading.

Cheers !