🧙‍ Merlin Adds Support for the QUIC protocol

tl;dr

Support for the Quick UDP Internet Connection (QUIC) protocol was added to Merlin in version 0.6.0 to provide an additional C2 channel to evade detection and can be downloaded from GitHub.

Background

Support for the Quick UDP Internet Connection (QUIC) protocol has been added to Merlin as communication protocol. This continues my muse for Google and their developments such as the Go programming language and HTTP/2 (formerly known as SPDY). QUIC was started by Google and is implemented in the Chrome web browser. The protocol is currently being standardized by an IETF Working Group and is in its fourteenth Internet-Draft at the time of this post. It is important to note that the protocol has not been finalized and is still under development.

QUIC aims to to “deliver the next transport protocol for the Internet” and has features such as:

• Authenticated and encrypted header and payload
• Stream multiplexing
• Connection migration and resilience to NAT rebinding
• Leverages TLS 1.3 (Perfect Forward Secrecy & 0 Round Trip Time Handshake)
• Designed to reduce web latency
• Works in User Land

In short, it is like having an enhanced version of TCP for connections with strong encryption, multiplexing, and reliability except it is on UDP. Connection migration is one very interesting capability that allows a client to change its IP address OR port but still maintain the same connection without having to renegotiate. This can occur when a device changes networks or NAT rebinds to another port. This will be useful in the future to maintain a C2 channel when an agent roams from one network to another.

QUIC is at its core is a transport protocol but it is also being designed to carry HTTP/2 traffic. The QUIC protocol, when transporting HTTP traffic, is designated with the string hq, for HTTP/QUIC. This identifier, or token, is used during protocol negotiation with either the TLS Application Layer Protocol Negotiation (ALPN) extension or the Alt-Svc HTTP header. As a refresher from the inaugural blog post, HTTP/2 is identified with h2. This information will come in handy later when running Merlin.

Merlin leverages the quic-go library, a QUIC implementation in pure Go. Because the QUIC protocol has not been finalized, not all of the features have been implemented in the library. There are several different version and implementations of QUIC that are registered and documented on the Working Group’s Github page.The tagged 0.8.0 release of the quic-go library supports versions Q039, Q042, and Q043 of Google’s QUIC implementation. At this time Merlin does not explicitly choose a specific version and defaults to the highest supported version of quic-go library, version Q043.

Google Chrome Implementation

One interesting aspect of QUIC is that you’re likely using it right now and might not have any idea. The protocol is heavily used by Google when accessing applications such as YouTube or Google Docs with Chrome. To view sites or traffic that are currently using QUIC, visit the Chrome internal page at chrome://net-internals/#quic . This page provides data on QUIC session and traffic.

Alternatively, you can open the developer tools in Chrome by pressing Ctrl + Shift + I and navigate to your favorite YouTube video. Click on the Network tab and look at the Protocol column to see requests that are leveraging QUIC. HTTP/2 and SPDY indicator is a Chrome Plugin that will allow you to determine if page you’re viewing is using HTTP/2, SPDY, or QUIC.

Merlin Server & Agent

Support for the QUIC protocol was added to Merlin in version 0.6.0 and can be downloaded from GitHub. Both Merlin Server & Agent can be started to support the QUIC protocol using the -proto hq command line flag.

Once the server is started, the message Starting hq listeneris printed to the screen to confirm what protocol it is listening for. Additionally, executing the sessions command from the main menu will show what protocol an agent is using. The info command from the agent menu system will also return the protocol in use.

There are a couple of caveats to Merlin’s support for QUIC in Merlin version 0.6.0. The QUIC protocol itself is not finalized, so not all of the features are implemented in the library Merlin is using. I will continue to develop Merlin to leverage the features as they are finalized and implemented. Merlin Server can only be run as either h2 or hq, but not both at this time. Future work will facilitate Merlin Server listening on both TCP and UDP ports at the same time, if desired.

Conclusion

My hope is, that in terms of C2, Merlin’s use of the QUIC protocol can continue to help offensive security professionals evade detection and help defenders increase security by understanding the protocol’s impact. While it is common for an organization to inspect web traffic over TCP, I don’t know of any instances where inspection is being done on UDP. Additionally, there is a good chance that organizations are not filtering UDP traffic from egressing their network.

Shout Out

Shout out to Kate Pearce and Carl Vincent (Vyrus) from Cisco for their previous work with QUIC presented at Black Hat: HTTP/2 & QUIC — Teaching Good Protocols To Do Bad Things . Another team published a paper titled A First Look at QUIC in the Wild with some good information as well.