View analytic
Friday, May 18 • 10:00am - 10:45am
HTTP/2 Magic with Merlin

Log in to save this to your schedule and see who's attending!

Feedback form is now closed.

HTTP/2 is a protocol that increases efficiency and overcomes shortfalls of the HTTP/1 protocol and is intended to be used only over TLS connections. Because this protocol is relatively new, there is a lack of tools capable of inspecting the protocol to detect or prevent attacks. The protocol’s use of Perfect Forward Secrecy TLS cipher suites further complicates matters by preventing inspecting technologies from capturing the keying material required to decrypt traffic for inspection. This presentation provides an overview of the HTTP/2 protocol along with implications for defenders and attackers alike. Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.A new tool will be released to the public that leverages HTTP/2 Command & Control of a host across many platforms to include Linux, Windows, Android, and MacOS.

HTTP/2 ProtocolThis presentation will include a brief intro into HTTP/2 and how it is different than HTTP/1.X. Next we will walk through some of the unique aspects in regards to communication channel encryption such only allowing ephemeral cipher suites. During this research, it was determined that current tools sets are not capable of decrypting HTTP/2 traffic because of the ephemeral cipher suites nor decoding HTTP/2 traffic in an IDS to evaluate the contents.
Blue Team DefensesThe protocol can leave some blind spots for network defenders. We’ll quickly evaluate some options for working with HTTP/2 traffic such as downgrading the protocol so that an IDS can look at it or terminating TLS connections and changing cipher suites so it can be decrypted later. TLS fingerprinting is also another avenue the circumvents the need to perform any decryption.
Red Team Post-Exploitation Command & ControlThe second half of the presentation will focus on post-exploitation command and control tool written entirely in Golang that operates over HTTP/2. Additionally, the tool can be cross compiled to a plethora of platforms such as Linux, BSD, Windows, Solaris, and MacOS all with just a single command line switch. We’ll show how using a newer protocol can be used to stay undetected while maintaining access to systems on an internal network. The tool has been dubbed “Merlin”, is currently functional, and is hosted on GitHub. After announcing the tool, we’ll spend some time providing a demonstration of its functionality.

Russel started researching the HTTP/2 protocol as part his graduate studies and published a paper on the topic.

avatar for Russel Van Tuyl

Russel Van Tuyl

Security Analyst, Sword & Shield Enterprise Security
Russel Van Tuyl is a security analyst for Sword & Shield Enterprise Security. His primary role consists of conducting network vulnerability assessments, penetration tests, and web application assessments but also performs firewall configuration audits, wireless assessments, and social... Read More →

Friday May 18, 2018 10:00am - 10:45am
Preservation Pub 28 Market Square, Knoxville, TN 37902

Attendees (19)