Texas Cyber Summit IV
Adversary Village

José Garduño

Senior Security Consultant, Dreamlab Technologies AG

José Garduño is a senior security consultant at Dreamlab Technologies since 2014, where he usually takes part in security audits, pentesting, and red teaming engagements. He has participated as a speaker in several technical conferences like Hackito Ergo Sum (France), Swiss Cybersecurity days (Switzerland), DSS ITSEC (Latvia), 8.8 Security Conference (Chile, Bolivia), OWASP Patagonia (Argentina), Congreso Seguridad en Computo UNAM (Mexico), DragonJar Security Conference (Colombia), where he has presented his work on privacy attacks on Latin-America (The government as your hacking partner), Hacking with open hardware platforms (revisiting hardware keyloggers, say hi to Mikey: an offensive hardware keylogger) and C2 detection (RATSPOTTING: Analysis of popular Remote Administration Tools & discovery of C2 servers on the wild).

Talk: C2Centipede - APT level C2 communications for common reverse HTTP shell tools.

Adversaries have been continuously improving their malware to be stealthier and more resilient on both the victim’s host as well as on the network. Examples of these innovations on the latter include Fast Flux networks, Domain Generation Algorithms and Domain Fronting among other techniques.
Unfortunately, open source tools for threat emulation currently have limited support for such advanced features, leaving redteams with easy to detect C2 communications. We present C2Centipede, a proxy tool that provides these features to HTTP reverse shell tools (like Metasploit or Empire) to be stealthier on the network by dynamically and transparently modifying the trojan’s C2 communication routing and beaconing strategies, with the aim of evading some of the blueteam’s detection strategies.
Major addition after Defcon adversary village: FTP , SMB and almost any file transfer protocol as C2 communication channel. Convert a meterpreter/reverse_http -> meterpreter/reverse_smb

Recorded Live 📼