Bypass Windows Firewall via Npcap (RestlessC2)

Written on September 30, 2019

Fighting Windows Defender and Malwarebytes is a story without an end. From time to time, I try to update my beacons and change their behavior, so they bypass Windows defenses. This three-week break, I wrote another Red Team implant. I called it Restless.

Restless can be called a C2 project since it consists of two main parts a client and server where the server controls and commands the client. But it’s not just another C2 project like other projects. Restless uses Npcap to bypasses Windows Firewall Rules + Since it’s new with no known signature, it also bypasses Windows 10 AV and Malwarebytes (By this date).

The idea behind it is that it uses Npcap APIs to call specific functions to sniff the network for a pre-crafted type of packets. These crafted packets designed using raw sockets, and they have similar characteristics to ICMP packets, where they are hardly distinguished among other ICMP packets and, at the same time, carry arbitrary data.

I called my implementation Restless since it sniffing the network nonstop looking for its targeted packets + I hate spending time choosing names, and that’s the first thing that came to my mind.

Detection

The beacon is constantly sniffing the network; thus, it asks too many I/O read requests as shown below. That might be unusual behavior where some AVs might detect. However, Windows 10 AV didn’t detect any suspicious behavior (By this post’s date).

Beacon.exe

Beacon

Comparing it with mcc.exe

mcc.exe

REAME.md

Disclaimer

This Red-Team tool is used for educational purposes ONLY!

What is Restless?

Restless is a small in-memory implant using C#. It uses SharpPcap, which uses Npcap APIs internally. Npcap is a new standard library update to the old WinPcap library.

RestlessCLI is a C2 that controls Restless implants using ICMP-like packets. Restless implant listens for specific ICMP-like packets and applies instructions given by Restless-CLI.py. Restless Controller/Server can task clients to execute pre-baked or arbitrary commands.

alt text

Status

  • Restless implants have been tested on Windows7/10/12/16/19 and evaded detections on 10 :).
  • Restless implants bypass Windows Inbound firewall rules.
  • Server sends “encrypted” messages, Caesar Cipher; it can be adjusted using the SHIFT parameter.
  • Server uses raw sockets to send customized ICMP-like packets.
  • The server’s CLI supports Command 2 All bots.
  • The final payload is 20.0 KB without modifications.
  • Integrated with pwnboard.

Files:

  • Config.py Where are the configuration parameters. (Have to be changed according to your system)
  • pwnAgent.py is a stand-alone script that updates pwnboard.
  • ips.conf Where all the targeted IPs should be placed.

Dependencies:

  • Dotnet core
  • Npcap

Special Thanks:

  • Thank you, Scuzz3y - I got the idea after a discussion in one of the RIT Red-Team engagements with Scuzz3y.