Abusing Google Apps and Data API: Google is My Command and Control Center
Report
Share
•2 likes•8,690 views
Abusing Google Apps and Data API: Google is My Command and Control Center
•2 likes•8,690 views
Report
Share
Download to read offline
This presentation is about abusing Google Apps to implement various attacks that ranges from Hostless Phishing to setting up a Botnet’s Command & Control Center.
Recommended
More Related Content
What's hot
What's hot(20)
![[OPD 2019] Inter-application vulnerabilities](https://cdn.slidesharecdn.com/ss_thumbnails/interapplicationvulnerabilities-mszydlowski-191021171552-thumbnail.jpg?width=768&fit=bounds)
Viewers also liked
Viewers also liked(14)
Similar to Abusing Google Apps and Data API: Google is My Command and Control Center
Similar to Abusing Google Apps and Data API: Google is My Command and Control Center(20)
More from Ajin Abraham
More from Ajin Abraham(7)
Recently uploaded
Recently uploaded(20)
Abusing Google Apps and Data API: Google is My Command and Control Center
- 1. Abusing Google Apps & Data API Google is my C2.
- 2. #whoami www.opensecurity.in Information Security Enthusiast Founder of OWASP Xenotix XSS Exploit Framework Strong supporter of Free and Open Information Security Education. Runs a DEFCON chapter at Kerala. Another Leaner.
- 4. disclaimer All third party images are the property of their respective owners. Just pointing out how some innocent services can be abused. I am not responsible for anything.
- 5. Agenda Intro Abusing AppScript for e-mail bombing Data URI + Google Forms + TinyURL = Phishing Variant Google Spreadsheet + DATA API = A Botnet Communication Channel xBOT : A prototype Bot Conclude
- 7. Email Bombing: the old ways Methods of e-bombing Open Relay servers PHP/ASP/JSP Mail Functions Misconfigured Mail Sending features in Web Apps Now blocked by services like Gmail, Live, Yahoo etc. E-bombs will end up in SPAM folder.
- 8. Google AppScript Google Apps Script is a JavaScript cloud scripting language.
- 9. AppScript : Class MailApp
- 10. Little Mutation
- 12. Data URI Data URI Phishing was described by “Henning Klevjer” in his Paper Data URI allows you to include data in-line in web pages via URL data:text/html,<body>hi</body> data:text/html;base64,PGJvZHk+aGk8L2JvZHk+
- 13. DATA URI + Google Forms + Tiny URL = Beauty Combining all these stuff gives a beautiful Phishing Attack. A Perfect addition to Social Engineering.
- 14. Basic Idea http://tinyurl.com/fb data:text/html,<body>hi</body> Google Spreadsheet credentials Injected with our JavaScript FB Server
- 15. JavaScript to do the work
- 17. Channelizing Google SpreadSheet Google SpreadSheet can store data online. You can export the contents of the spreadsheet as json, rss and tsv Read and Write remotely SSL Hmmm! What else you want?
- 18. Selecting the right URL format Execution Time Data Length 9 600000 8 500000 7 6 400000 5 300000 4 3 200000 2 100000 1 0 0 JSON RSS Data Length TSV Source JSON RSS TSV Execution Time Source
- 20. What is xBOT? xBOT is a PoC bot. Uses Google Spreadsheet and Forms to implement it’s Communication Channel. Uses Google DATA API to extract the commands. Use a third party server for file hosting.
- 21. xBOT Architecture Command and Control Send Commands Google Form Google Spreadsheet File URL Send Response File Upload File Hosting xbot.py xBOT Victim Get Commands Every 4 Sec
- 23. Conclusion Nasty things can be built over Innocent stuffs. These are some possible ways an attacker could use. Interesting Fact: There is no captcha for Google Forms. That’s all