2024-08-07 –, Florentine A
Data Link Layer is used for MAC to MAC communication, and encapsulates all information relating to IP, ports, session and application data. Most shells (remote access via terminals) use TCP/IP, requiring the information to traverse via the OSI stack, which the sending and receiving systems use to encode information a specific way for different processes to use (Raw socket programming, AD-Hoc Wi-Fi, Etc). This presentation will show a way Ethernet can be weaponized to evade common detections, and how information can be encoded on frames. The common consensus is that layer 2 has range limitations, mainly due to the broadcast domain. Some bypasses will be introduced that extend the range of layer 2 communication.
This presentation will be discussing some different ways that layer 2 connections can be used to help penetration testers, red teamers, and unfortunately ways that attackers could already be leveraging the LOLS.
Ethernet frames are second layer up from the physical layer, which makes this area a prime candidate for smuggling data. If Ethernet frames have tampered padding, or potentially other headers, information can be transmitted between nodes on a LAN (Local Area Network). This is the basis for all communication, and occurs by default, naturally. The problem with LOLS is that unlike regular communication, that involves IP and port, regular Ethernet frames can be caught by systems and interpret covert information encoded from the frames and then executed.
Since layer 2 information can have the source and destination port spoofed, the frames can appear from a broadcast address, and be sent to the broadcast domain, making the communication hard to pinpoint of originating system and receiving system. Point to point communication can also be used by communicating between two known MAC addresses.
The question becomes whether this covert post-compromise concept can be viable, or a simple proof of concept. There are several ways that layer 2 communication can reach beyond the broadcast domain. The first one is by layer 2 forwarding, or by sending tampered ethernet frames from one broadcast domain to another. This would require one of the nodes to have multiple network interfaces (eth0, eth1, wlan0, wlan1), that can then forward tagged frames between these networks. Other options would be for VLAN tagging, or lastly to use bridged layer 3 connections such as raw socket communication. If layer 3 is introduced, IDPS may detect it, but from a point of view of routing within a broadcast domain to evade detection, bridged connections can be used to allow for C2 capabilities.
Lastly, if this concept is used to smuggle layer 3, layer 4, or layer 7 protocols, there becomes a possibility that SOCK4/5 proxies, SSH, RDP or other protocol communication can be hidden within layer 2, and only appear exiting from the destination system. All other communications could appear on layer 2 throughout a network.
At this time, only one APT group leveraged a layer 2 C2, which falls under non-application layer protocol. Layer 2 C2 communication has been seen in the wild, and this proof-of-concept will demonstrate several applications in practice. Reference for APT group: https://attack.mitre.org/techniques/T1095/
Elysee Franchuk is a Cybersecurity Consultant. He enjoys breaking things apart, and understanding the processes that enable systems to function. With a background in programming, penetration testing, and information technology, Elysee has a creative perspective in detecting vulnerabilities, and finding new ways to exploit new and old problems. Other interests of Elysee are playing video games, listening to EDM, and Lego.
