SlideShare a Scribd company logo
1 of 26
Download to read offline
How we accidentally created
our own:
RAT, C2 , Botnet
Adam Compton & Bill
Harshbarger
Distributed Computer Network
Me Me Me…
•Who/What am I?
•Simple answer:
•Father/Husband/Son/Brother
• Programmer/Pentester/Researcher
• Hillbilly
BILL…....
•Who/What am I?
Sort of Boring Stuff
Agenda:
• Get over stage fright and get started… DONE
• Talk about ourselves… DONE
• Present agenda… IN PROGRESS
• Present rambling story of our accidental
and haphazard path to creating a
sort of working RAT/C2/etc... COMING UP NEXT
• Maybe talk about other stuff too… MAYBE IF THERE IS TIME
• Take questions... LATER
• Go get drinks... LATER...DOWN STAIRS
More Boring Stuff
Basic Terminology:
• RAT
• Remote Administration Tool
• C2
• Command and Control
• Botnet
• Robot Network
• Distributed Computing Environment
Just a Bit More Boring Stuff
Common Functions:
• Encrypted Comms
• Upload/Download Files
• Exec System/Shell Commands
Once upon a time….
• Multiple pentesters
• Internal engagement
• No Internet access
• In separate rooms
Chat Program
Requirements:
• Server
• Client(s)
Actions:
• Client sends message
• Server receives message
• Server forwards message to other clients
• Other Clients receive message and display it
DEMO: Chat Program
Encryption
Options:
• SSH Tunnel
• SSL/TLS Wrapper
• Standard encryption (AES)
DEMO: Encryption
Remote Commands
TOM: Hey, run this command and give me the output.
BOB: I am not at my computer, I will do it later.
TOM: Never mind, I can run it without you!
DEMO: Remote Commands
File Transfer
Select file from local system
Send file securely to remote system(s)
DEMO: File Transfer
Easy Deploy
It needed to be easy to install or deploy.
DEMO: Easy Deploy
Paradigm Shift
File Pull
DEMO: File Pull
Remote Shell
Fully interactive
DEMO: Remote Shell
Future Stuff
• Alternate communication channels/tunnels?
• SOCKS proxy
THANK YOU
Questions? Comments? Thoughts?
Contact Info:
•adam_compton@rapid7.com
•@tatanus
•bill_harshbarger@rapid7.com
•@

More Related Content

More from Adam Compton

BSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White MeatBSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White MeatAdam Compton
 
2018 DerbyCon - Hillbilly Storytime - Pentest Fails
2018 DerbyCon - Hillbilly Storytime - Pentest Fails2018 DerbyCon - Hillbilly Storytime - Pentest Fails
2018 DerbyCon - Hillbilly Storytime - Pentest FailsAdam Compton
 
2018 HackerHalted - Hillbilly Storytime - Pentest Fails
2018 HackerHalted - Hillbilly Storytime - Pentest Fails2018 HackerHalted - Hillbilly Storytime - Pentest Fails
2018 HackerHalted - Hillbilly Storytime - Pentest FailsAdam Compton
 
Bsides LV - Hillbilly Storytime - Pentest Fails
Bsides LV - Hillbilly Storytime - Pentest FailsBsides LV - Hillbilly Storytime - Pentest Fails
Bsides LV - Hillbilly Storytime - Pentest FailsAdam Compton
 
SecureWV - PentestFails
SecureWV - PentestFailsSecureWV - PentestFails
SecureWV - PentestFailsAdam Compton
 
Infosec Europe 17 - PentestFails
Infosec Europe 17 - PentestFailsInfosec Europe 17 - PentestFails
Infosec Europe 17 - PentestFailsAdam Compton
 
Bsides Nashville - PentestFails
Bsides Nashville - PentestFailsBsides Nashville - PentestFails
Bsides Nashville - PentestFailsAdam Compton
 
Bsides Knoxville - OSINT
Bsides Knoxville - OSINTBsides Knoxville - OSINT
Bsides Knoxville - OSINTAdam Compton
 
Bsides Knoxville - PentestFails
Bsides Knoxville - PentestFailsBsides Knoxville - PentestFails
Bsides Knoxville - PentestFailsAdam Compton
 
Bsides Knoxville - APT2
Bsides Knoxville - APT2Bsides Knoxville - APT2
Bsides Knoxville - APT2Adam Compton
 

More from Adam Compton (13)

BSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White MeatBSidesKnoxville 2019 - Unix: The Other White Meat
BSidesKnoxville 2019 - Unix: The Other White Meat
 
2018 DerbyCon - Hillbilly Storytime - Pentest Fails
2018 DerbyCon - Hillbilly Storytime - Pentest Fails2018 DerbyCon - Hillbilly Storytime - Pentest Fails
2018 DerbyCon - Hillbilly Storytime - Pentest Fails
 
2018 HackerHalted - Hillbilly Storytime - Pentest Fails
2018 HackerHalted - Hillbilly Storytime - Pentest Fails2018 HackerHalted - Hillbilly Storytime - Pentest Fails
2018 HackerHalted - Hillbilly Storytime - Pentest Fails
 
Bsides LV - Hillbilly Storytime - Pentest Fails
Bsides LV - Hillbilly Storytime - Pentest FailsBsides LV - Hillbilly Storytime - Pentest Fails
Bsides LV - Hillbilly Storytime - Pentest Fails
 
SecureWV - PentestFails
SecureWV - PentestFailsSecureWV - PentestFails
SecureWV - PentestFails
 
SecureWV - APT2
SecureWV - APT2SecureWV - APT2
SecureWV - APT2
 
Infosec Europe 17 - PentestFails
Infosec Europe 17 - PentestFailsInfosec Europe 17 - PentestFails
Infosec Europe 17 - PentestFails
 
HackCon - SPF
HackCon - SPFHackCon - SPF
HackCon - SPF
 
DerbyCon - APT2
DerbyCon - APT2DerbyCon - APT2
DerbyCon - APT2
 
Bsides Nashville - PentestFails
Bsides Nashville - PentestFailsBsides Nashville - PentestFails
Bsides Nashville - PentestFails
 
Bsides Knoxville - OSINT
Bsides Knoxville - OSINTBsides Knoxville - OSINT
Bsides Knoxville - OSINT
 
Bsides Knoxville - PentestFails
Bsides Knoxville - PentestFailsBsides Knoxville - PentestFails
Bsides Knoxville - PentestFails
 
Bsides Knoxville - APT2
Bsides Knoxville - APT2Bsides Knoxville - APT2
Bsides Knoxville - APT2
 

Recently uploaded

Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)ICT Watch - Indonesia
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...vmzoxnx5
 
Tari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T ShirtsTari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T Shirtsrahman018755
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
Power of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfPower of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfrajats19920
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...ICT Watch - Indonesia
 

Recently uploaded (6)

Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
 
Tari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T ShirtsTari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T Shirts
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
Power of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfPower of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdf
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
 

DerbyCon - Legion

Editor's Notes

  1. Welcome everyone. Hope everyone is having a great day at DerbyCon. As the schedule and the title side here state, this talk is titled: How we accidentally created our own RAT/C2/…ummm... Distributed Computer Network. The idea of this talk came as a side effect of us actually trying to write our own tool. No we will not be presenting that tool here today, but it is out on github if anyone wants to go look at it. Today we will be discussing, and demoing the steps or path we took to creating it. Lets get started shall we.
  2. Me? I have been around for a while… about 18 years or so in the InfoSec field. Over that time, I have been a programmer, researcher, and pentester (currently for Rapid7). But most of all, I am a father, husband, son, and brother.
  3. Sorry about that. But man, those are some pretty dogs. And yes we are not above a few cheap laughs.
  4. Before we get into the actual story, let get some of the boring stuff out of the way. <READ/Summarize agenda>
  5. How about some common terminology so we are all on the same page: RAT stands for remote administration tool. One common historic example is BACK ORIFICE C2 stands for Command and Control. While similar to a RAT, it typically has more than 1 zombie/slave system. A BotNet, which is short for Robot Network, is very similar to a C2, however, the term Botnet is typically viewed in a very negative light. A distributed computing environment is a network or collection of systems in which the components interact with each other in order to achieve a common goal.  Wait a second, that sounds a lot like a C2 or a Botnet. That is because they are effectively the same concept. The terms can generally be used interchangeably, but just be aware that there are some sitgma that is associated with Botnet.
  6. Well, now that we have already stated that a RAT/C2/etc.. are basically the same thing, what are some common characteristics or functions that they all tend to have? The ability to communicate securely (i.e. via encryption) The ability it push/pull files The ability to execute remote commands Sure there are tons of other awesome abilities some of these have, but at their core the all tend to have these three abilities.
  7. Okay, so the school lesson is over now. Time to start in on why you are actually here. And a picture of puppies.
  8. Well, it started one day when several of us were on an internal engagement and did not have Internet access. Thus we were not able to use our standard chat program, and we were too distributed around the customer’s office space to easily communicate privately. What we needed a way to share ideas and chat that did not require Internet access. For this engagement, we used our cell phones for communication/texting, but once we got back to the office, we started thinking if there was an easier way to do it, and of course there was, we could write our own chat program and host it ourselves. Turns out it was not too difficult.
  9. Being good little security professionals, we decided it would be nice if our chats were at least encrypted. There were many options available to us… we could replace what we had with a SSH based communication protocol we could use a SSL/TLS wrapper Or we could do what we decided on, which is just encrypting all of the raw messages with AES. While possibly not the best encryption, it is sufficient for our needs.
  10. What if one or more of the team members is not at their computer and you really need them to run a command for you?
  11. Okay, so we can send encrypted messages to each other. That does not mean that we can
  12. So far, we have been working under the concept that we wanted everyone to be able to chat to everyone else. It was at this point that we started releasing what we were sort of inadvertently creating. So we decided to remove the chat like capability and decided to make it a single controller/server and several remote slaves/clients. This involved multiple items. Removing the chat feature Adding ability to uniquely identify each client node Adding ability to send a command to just 1 node at a time
  13. How about instead of just sending single commands at a time, we open an interactive shell
  14. Well, what can we do to make this a bit more full featured?
  15. In closing, I would just like to repeat that mistakes do happen and that is ok.   It is a matter of how you deal with them and what you can learn from them that will determine how they affect you in the long run.   And if you are so inclined, please share your hard-earned lessons with others so that you can possibly help other to not make the same mistakes.   And Thank you.   Now, any questions?