Introduction

The modern threat landscape requires a comprehensive defense-in-depth strategy, which often includes the interception and inspection of employee SSL-protected web traffic. As most attacks will now use some type of encryption, being able to log and inspect this content is vital.

Due to a lack of understanding of local privacy laws many organisations will whitelist certain categories of websites, such as finance/banking and health, presenting a blindspot to blue teams/incident responders and manifests itself in a lack of detailed logging.

This blindspot can be leveraged post-exploit by adversaries looking to establish stealthier persistent C2 channels. The proxy logs don’t expose the full URLs associated with common C2 profiles and inspecting the encrypted traffic for common patterns isn’t possible. It’s also useful for getting questionable binaries onto the estate, putting the burden on endpoint protection.

How does SSL Inspection work?

SSL inspection relies on a proxy server to dynamicly issue trusted website certificates on the fly. These certificates will all have the same issuer and are usually valid from that day onwards. As the proxy server now has a ‘ssl trust’ established with both ends, it’s able to unencrypt and inspect the traffic contents.

Example 1 - SSL cert for non-whitelisted site

Example 2 - SSL cert for whitelisted site

Using ProxyPunch

ProxyPunch aims to identify these SSL blindspots by baselining a proxy servers certificate issuer. Once this issuer has been established, any websites whose certificate has not been issued by this authority must be whitelisted or in a whitelised category. ProxyPunch has a builtin list of sites for various categories.

Walkthrough

ProxyPunch identifies an SSL exception is in place for all Banking/finance sites. In this example, as with most organisations, access to Web-Based email sites is not allowed.

A domain name is now required that is categorised as Banking/Finance. The easiest was to do this is to use a website such as Expiredomains to search for related domains that have expired. If you register with ExpiredDomains you are able to use the advanced filter to search for appropriate domains. In this example, I searched for .info sites containing the word Mortgage. I then sorted by the BL (BackLinks) column as I found sites with backlinks more likely to be categorised correctly.

Before purchasing the domain, it’s prudent to check that the domain is categorised appropropriately, as it’s web content that influenced the category, not words in the domain name. Fortunately there’s a number of online tools we can use to check categories.

Mcafee
Cyren
Zvelo
BrightCloud
PaloAlto

The 3rd domain on the list, puremortgage.info, looks promising:

A quick check on Namecheap and we can see that the domain is available (and inexpensive):

After purchasing the domain, we setup a web service with a Let’s Encrypt certificate. We can now check that the proxy is whitelisting our domain by confirming that we’re seeing the Let’s Encrypt certificate and not the Company WWW Gateway one:

We now have a site that’s whitelisted. All traffic going through the proxy server to our website will not be inspected.

As a quick test, I used a malleable C2 profile using the certificate for www.puremortgage.info, to see how my beacon traffic was logged:

This is what the proxy logs look like for a whitelisted site:

Compared to a non-whitelisted site:

SSL Inspection whitelisting doesn’t end with categorisation. In my experience I’ve seen specific websites whitelisted for a number of reasons, for instance with a client application that connects through the proxy but to establish authenticity expects a certain SSL certificate to be in place. Misconfigured wildcarded exceptions can also be found, such as the following, which you can take advantage of using matching subdomains of your domain:

windowsupdate.*
*.microsoft.*

but I’ll leave that up to the reader to go and explore….

You can find the ProxyPunch Repo here