• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Abusing Google Apps and Data API: Google is My Command and Control Center
 

Abusing Google Apps and Data API: Google is My Command and Control Center

on

  • 2,923 views

This presentation is about abusing Google Apps to implement various attacks that ranges from Hostless Phishing to setting up a Botnet’s Command & Control Center.

This presentation is about abusing Google Apps to implement various attacks that ranges from Hostless Phishing to setting up a Botnet’s Command & Control Center.

Statistics

Views

Total Views
2,923
Views on SlideShare
1,992
Embed Views
931

Actions

Likes
1
Downloads
29
Comments
0

27 Embeds 931

http://opensecurity.in 678
http://iamajin.blogspot.in 79
http://iamajin.blogspot.com 73
https://twitter.com 34
http://iamajin.blogspot.de 10
http://iamajin.blogspot.com.br 9
http://iamajin.blogspot.nl 8
http://iamajin.blogspot.com.ar 4
http://iamajin.blogspot.co.at 4
http://iamajin.blogspot.fr 3
http://iamajin.blogspot.com.tr 3
http://iamajin.blogspot.mx 3
http://iamajin.blogspot.co.uk 3
http://iamajin.blogspot.kr 2
http://iamajin.blogspot.ae 2
http://feedly.com 2
http://iamajin.blogspot.ca 2
http://www.inoreader.com 2
http://iamajin.blogspot.com.es 2
http://iamajin.blogspot.sg 1
http://iamajin.blogspot.hk 1
http://iamajin.blogspot.co.il 1
http://iamajin.blogspot.ru 1
http://iamajin.blogspot.it 1
http://iamajin.blogspot.pt 1
http://iamajin.blogspot.ro 1
http://iamajin.blogspot.gr 1
More...

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Abusing Google Apps and Data API: Google is My Command and Control Center Abusing Google Apps and Data API: Google is My Command and Control Center Presentation Transcript

    • Abusing Google Apps & Data API Google is my C2.
    • #whoami www.opensecurity.in Information Security Enthusiast Founder of OWASP Xenotix XSS Exploit Framework Strong supporter of Free and Open Information Security Education. Runs a DEFCON chapter at Kerala. Another Leaner.
    • disclaimer All third party images are the property of their respective owners. Just pointing out how some innocent services can be abused. I am not responsible for anything.
    • Agenda Intro Abusing AppScript for e-mail bombing Data URI + Google Forms + TinyURL = Phishing Variant Google Spreadsheet + DATA API = A Botnet Communication Channel xBOT : A prototype Bot Conclude
    • Google Data API
    • Email Bombing: the old ways Methods of e-bombing Open Relay servers PHP/ASP/JSP Mail Functions Misconfigured Mail Sending features in Web Apps Now blocked by services like Gmail, Live, Yahoo etc. E-bombs will end up in SPAM folder.
    • Google AppScript Google Apps Script is a JavaScript cloud scripting language.
    • AppScript : Class MailApp
    • Little Mutation
    • DEMO http://www.youtube.com/watch?v=mTHIc dkdKXY
    • Data URI Data URI Phishing was described by “Henning Klevjer” in his Paper Data URI allows you to include data in-line in web pages via URL data:text/html,<body>hi</body> data:text/html;base64,PGJvZHk+aGk8L2JvZHk+
    • DATA URI + Google Forms + Tiny URL = Beauty Combining all these stuff gives a beautiful Phishing Attack. A Perfect addition to Social Engineering.
    • Basic Idea http://tinyurl.com/fb data:text/html,<body>hi</body> Google Spreadsheet credentials Injected with our JavaScript FB Server
    • JavaScript to do the work
    • DEMO http://www.youtube.com/watch?v=htoiN O50fBc
    • Channelizing Google SpreadSheet Google SpreadSheet can store data online. You can export the contents of the spreadsheet as json, rss and tsv Read and Write remotely SSL Hmmm! What else you want?
    • Selecting the right URL format Execution Time Data Length 9 600000 8 500000 7 6 400000 5 300000 4 3 200000 2 100000 1 0 0 JSON RSS Data Length TSV Source JSON RSS TSV Execution Time Source
    • What is xBOT? xBOT is a PoC bot. Uses Google Spreadsheet and Forms to implement it’s Communication Channel. Uses Google DATA API to extract the commands. Use a third party server for file hosting.
    • xBOT Architecture Command and Control Send Commands Google Form Google Spreadsheet File URL Send Response File Upload File Hosting xbot.py xBOT Victim Get Commands Every 4 Sec
    • DEMO http://www.youtube.com/watch?v=TBP7y nUalOY
    • Conclusion Nasty things can be built over Innocent stuffs. These are some possible ways an attacker could use. Interesting Fact: There is no captcha for Google Forms. That’s all
    • Thank You @ajinabraham ajin.abraham@owasp.org