This post is part of a series about Offensive BPF that I’m working on to learn about BPF to understand attacks and defenses. Click the “ebpf” tag to see all relevant posts.
In the previous posts I spend time learning about
bpftrace which is quite powerful. This post is focused on basics and using existing BPF tools, rather then building new BPF programs from scratch.
Living off the land: bpfcc-tools
Performance and observability teams are pushing for BPF tooling to be present in production. Due to its usefulness, this is likely going to increase.
Influencers in the industry are pushing for the installation of a common toolset.
For instance, here is a slide from a Systems@Scale 2021 conference presentation.
For offensive security this means that it will become more likely that adversaries will leverage already installed tooling to do their deeds.
This certainly also applies to the even more flexible
bpftrace tool discussed previously.
In the offensive security space we call this “Living off the land”.
Living off the land - bpfcc-tools
To get an idea of some cool tools, check out the
sudo apt-get install bpfcc-tools
As mentioned even in production environments these tools might already be installed.
The tools in
bpfcc-tools generally all end with
-bpfcc. On my Ubuntu install the tools are at
ls /usr/sbin/*bpfcc, but they might lack this suffix, and older versions of the tools were written in Python.
Let’s look at some tools and what they can do for recon and mapping out the homefield.
Sniffing TLS traffic
Sniffing TLS traffic is a common post exploitation attack angle to get access to sensitive information, such as Cookies or Bearer tokens.
Tracing traffic inside the kernel with existing techniques such as
tcpdump does typically not lead to desired results (unless you have session keys for TLS - I wrote about this in my book by the way).
What BPF allows now is to create hook points for popular user mode functions that deal with reading/writing the TLS information before (or rigth after) it is encrypted.
A tool that hooks OpenSSL’s
PR_Write calls to dump clear text is part of the bpfcc-tools.
hacker@server:~$ sudo sslsniff-bpfcc FUNC TIME(s) COMM PID LEN WRITE/SEND 0.000000000 curl 2781502 73 ----- DATA ----- GET / HTTP/1.1 Host: example.org User-Agent: curl/7.68.0 Accept: */* ----- END DATA ----- READ/RECV 0.030690910 curl 2781502 822 ----- DATA ----- HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Tue, 28 Sep 2021 16:55:13 GMT Content-Type: text/html Content-Length: 511 Set-Cookie: **ThisShouldBeASecret!** Last-Modified: Tue, 03 Nov 2020 18:54:15 GMT Connection: keep-alive ETag: "5fa1a757-1ff" Strict-Transport-Security: max-age=31536000; includeSubDomains Accept-Ranges: bytes <!doctype html> <html> ...
My goal was to sniff traffic from Firefox or Chrome, but the
sslsniff-bpfcc tool did not work there.
Check out my other post about sniffing some Firefox traffic with
What other tools are in this toolset?
Brendan Gregg has a great diagram on his website that shows all the tools and where in the stack they are appliable to:
This is quite the list of observability and performance tools.
Reconaissance, Credential Hunting, etc…
The tools in the BFP toolset are powerful and might be used by an adversary (incl. a malicious insider):
execsnoop-bpfcc: shows the path and arguments of all exec calls
opensnoop-bpfcc: shows all the
open()syscalls, can filter by UID, PID, etc…
tcplife: Recon on TCP connections (source, destination, port)
tcpaccept-bpfcc: who connects to this machine?
solisten-bpfcc: shows any new socket that starts listening
ttysnoop-bpfcc: snoop on other tty sessions (could be quite useful when hunting for credentials)
sslsniff-bpfcc: sniffing TLS traffic (e.g. openssl)
inject-bpfcc: allows to fail kernel calls when certain conditions are met
Note: The binaries/tools might not end with
-bpfcc on your machine depending on version and how they got installed. Older versions of these tools were Python based for instance.
Detections and Threat Hunting
For living off the land style attacks, detection is tricky, since it can lead to creation or a lot of false-positives. Generally making sure to get logs off machines to analyze information is important.
Check out the previous post about detecting offensive BPF usage as these are applicable.
In particular, it would be interesting to hunt or investigate usage of tools such as