Vincent Yiu
  • Red Team
  • About Vincent Yiu
  • Red Team Tips
  • Videos
  • Red Team
    • Attack Infrastructure
      • CloudFlare for IP Address Filtering
      • Azure Apps for Command and Control
      • CobaltSplunk
    • Backdooring PE Files
      • Backdoor 101
      • Backdoor 102
      • Backdoor 103
    • Cloud Security
      • CloudFront Domain Hijacks under Attack
      • Vultr Domain Hijacking
      • CloudFlare for Command and Control
    • Command and Control
      • TryCloudFlare Infrastructure and Domain Fronting
      • Domain Fronting using StackPath CDN
      • HAMMERTHROW: Rotate my domain
      • Domain Fronting via. CloudFront Alternate Domains
      • Validated CloudFront SSL Domains
      • Domain Fronting: Who Am I?
      • Host Header Manipulation
      • Finding Target-relevant Domain Fronts
      • Alibaba CDN Domain Fronting
      • TOR Fronting — Utilising Hidden Services to Hide Attack Infrastructure
    • General Exploitation
      • Payload Generation with CACTUSTORCH
      • Exploiting CVE-2017–8759: SOAP WSDL Parser Code Injection
      • Exploiting CVE-2017–0199: HTA Handler Vulnerability
      • F# Shellcode Execution
      • Bypassing Gmail Attachment Virus Check
      • IPFuscation
    • Hardware and Gadgets
      • USBNinja
      • Aorus Gaming Box for Password Cracking
      • Proxmark Adventures 101
      • Poor man’s guide to Raspberry Pi initial installation
    • Post Exploitation
      • Introducing ANGRYPUPPY
      • RDPInception
      • VLAN Attacks
    • Reconaissance
      • Reconnaissance using LinkedInt
      • DomLink — Automating domain discovery
      • OffensiveSplunk vs. Grep
    • Misc
      • Under the wire: Trebek — Walkthrough
Powered by GitBook
On this page
  • What the...
  • What can we do?
  • GitHub
  • Usage
  • Cobalt Strike
  • Cobalt Strike Aggressor Script
  • Conclusion

Was this helpful?

  1. Red Team
  2. General Exploitation

IPFuscation

Images are broken. I will fix when I have time.

What the...

IPFuscation is a technique that allows for IP addresses to be represented in hexadecimal, octal, or a combination, instead of the decimal encoding that we are used to.

What can we do?

Normal: ping 45.54.123.21

Hexadecimal + Decimal + Octal: ping 0x2d.54.123.025

Hexadecimal: ping 0x2d367b15

Hexadecimal with period symbol: ping 0x2d.0x36.0x7b.0x15

Hexadecimal with 0 padding: ping 0x0000000002d.0x00000000036.0x00000007b.0x0000000015

Decimal: ping 758545173

Octal: ping 05515475425

Octal with period symbol: ping 055.066.0173.025

Octal with 0 padding: ping 000000055.000066.000000173.0000000025

As we can see there's a bunch of ways you can ping the same IP. For a moment, I wondered if this was just how Ping worked. However, given that this works with OpenURL, I decided to try it with Cobalt Strike!

GitHub

I wrote a script that automatically outputs a set of known formats for the same IP address that you specify. Hopefully will be useful for some people!

Usage

python .\ipfuscator.py 127.0.0.1
IPFuscator
Author: Vincent Yiu (@vysecurity)
https://www.github.com/vysec/IPFuscator
Version: 0.1.0

IP Address:     127.0.0.1

Decimal:        2130706433
Hexadecimal:    0x7f000001
Octal:          017700000001

Full Hex:       0x7f.0x0.0x0.0x1
Full Oct:       0177.0.0.01

Random Padding:
Hex:    0x000000000000000007f.0x00000000000000000000.0x0000000000000000000.0x0000000000000000000001
Oct:    0000000000000000000000000177.000000000000000.0000000000000000000000.0000000000000000000000000000001
Random base:
#1:     0x7f.0x0.0.1
#2:     127.0.0x0.0x1
#3:     0177.0x0.0.1
#4:     0x7f.0.0.1
#5:     127.0x0.0x0.1

Random base with random padding:
#1:     0x0000000007f.0.0000000000.00000000000001
#2:     0x000000000007f.0x0000000000000000000000.0x00000000000000.0x00000000001
#3:     00000000000000000000000177.0x00000000.000000000000000.00000000000000000000000001
#4:     000000000000000177.0.0.1
#5:     127.0000000000000000000000.00000000000000.0x0000000000001

Cobalt Strike

Although I rarely use IP addresses compared to hostnames when it comes to connecting to resources, we know for a fact that many threat actors do. In some cases you may want to resort to using IP addresses and this technique can add a bit of flavor to the mix.

To use this technique in Cobalt Strike, you simply create a listener like you normally would. Let's say my IP was 45.54.123.21, run IPFuscator as shown below:

Generate a payload as you would normally, and it all works fantastically!

You could even mix it up a bit:

Cobalt Strike Aggressor Script

Conclusion

IPFuscation is not an advanced technique. However, it can be used to:

  1. potentially break regex rules for command line logging looking for IP addresses. Eg. when you issue a command such as ping 0055.0x0036.000173.0x0015

  2. obfuscate previously unobfuscated / unencrypted cleartext strings to C2 locations within the payload

According to inphosys on Reddit, the proxy sees the regular decimal IP address notation:

To keep it simple, make the use of IPs cool again! :)

PreviousBypassing Gmail Attachment Virus CheckNextHardware and Gadgets

Last updated 6 years ago

Was this helpful?

ConEmu64_2018-05-19_19-48-55

You can immediately take this information and use any of these representations in your listener address. For example:

javaw_2018-05-19_19-51-36
javaw_2018-05-19_20-02-44

I actually wrote a Cobalt Strike Aggressor Script to automatically convert an IP that you can issue with the ping command that will convert and use ping with a hexadecimal equivalent IP. If you want to use this you can obtain this script in my . This was released back in 2017.

chrome_2018-05-19_21-00-19
https://github.com/vysecurity/IPFuscator
Aggressor repository
javaw_2018-05-19_19-50-52