Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Abusing Google Apps & Data API

Google is my C2.
#whoami

www.opensecurity.in

Information Security Enthusiast

Founder of OWASP Xenotix XSS Exploit Framework
Strong su...
disclaimer
All third party images are the property of their
respective owners.
Just pointing out how some innocent servi...
Agenda
Intro
Abusing AppScript for e-mail bombing
Data URI + Google Forms + TinyURL = Phishing Variant
Google Spreadsh...
Google Data API
Email Bombing: the old ways
Methods of e-bombing
Open Relay servers
PHP/ASP/JSP Mail Functions
Misconfigured Mail Send...
Google AppScript
Google Apps Script is a JavaScript cloud scripting language.
AppScript : Class MailApp
Little Mutation
DEMO
http://www.youtube.com/watch?v=mTHIc
dkdKXY
Data URI
Data URI Phishing was described by “Henning Klevjer” in his Paper
Data URI allows you to include data in-line in ...
DATA URI + Google Forms + Tiny URL = Beauty

Combining all these stuff gives a beautiful Phishing Attack.
A Perfect addi...
Basic Idea
http://tinyurl.com/fb

data:text/html,<body>hi</body>

Google Spreadsheet
credentials

Injected with our JavaSc...
JavaScript to do the work
DEMO
http://www.youtube.com/watch?v=htoiN
O50fBc
Channelizing Google SpreadSheet
Google SpreadSheet can store data online.
You can export the contents of the spreadsheet...
Selecting the right URL format
Execution Time

Data Length
9

600000

8

500000

7
6

400000

5

300000

4
3

200000

2

1...
What is xBOT?
xBOT is a PoC bot.
Uses Google Spreadsheet and Forms to implement
it’s Communication Channel.
Uses Google...
xBOT Architecture
Command and Control
Send
Commands
Google Form

Google Spreadsheet

File URL
Send
Response
File
Upload
Fi...
DEMO
http://www.youtube.com/watch?v=TBP7y
nUalOY
Conclusion
Nasty things can be built over Innocent stuffs.
These are some possible ways an attacker could
use.
Interest...
Thank You

@ajinabraham
ajin.abraham@owasp.org
Abusing Google Apps and Data API: Google is My Command and Control Center
Abusing Google Apps and Data API: Google is My Command and Control Center
Upcoming SlideShare
Loading in …5
×

of

Abusing Google Apps and Data API: Google is My Command and Control Center Slide 1 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 2 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 3 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 4 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 5 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 6 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 7 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 8 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 9 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 10 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 11 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 12 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 13 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 14 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 15 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 16 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 17 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 18 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 19 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 20 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 21 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 22 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 23 Abusing Google Apps and Data API: Google is My Command and Control Center Slide 24
Upcoming SlideShare
Abusing, Exploiting and Pwning with Firefox Add-ons
Next
Download to read offline and view in fullscreen.

1 Like

Share

Download to read offline

Abusing Google Apps and Data API: Google is My Command and Control Center

Download to read offline

This presentation is about abusing Google Apps to implement various attacks that ranges from Hostless Phishing to setting up a Botnet’s Command & Control Center.

Related Books

Free with a 30 day trial from Scribd

See all

Abusing Google Apps and Data API: Google is My Command and Control Center

  1. 1. Abusing Google Apps & Data API Google is my C2.
  2. 2. #whoami www.opensecurity.in Information Security Enthusiast Founder of OWASP Xenotix XSS Exploit Framework Strong supporter of Free and Open Information Security Education. Runs a DEFCON chapter at Kerala. Another Leaner.
  3. 3. disclaimer All third party images are the property of their respective owners. Just pointing out how some innocent services can be abused. I am not responsible for anything.
  4. 4. Agenda Intro Abusing AppScript for e-mail bombing Data URI + Google Forms + TinyURL = Phishing Variant Google Spreadsheet + DATA API = A Botnet Communication Channel xBOT : A prototype Bot Conclude
  5. 5. Google Data API
  6. 6. Email Bombing: the old ways Methods of e-bombing Open Relay servers PHP/ASP/JSP Mail Functions Misconfigured Mail Sending features in Web Apps Now blocked by services like Gmail, Live, Yahoo etc. E-bombs will end up in SPAM folder.
  7. 7. Google AppScript Google Apps Script is a JavaScript cloud scripting language.
  8. 8. AppScript : Class MailApp
  9. 9. Little Mutation
  10. 10. DEMO http://www.youtube.com/watch?v=mTHIc dkdKXY
  11. 11. Data URI Data URI Phishing was described by “Henning Klevjer” in his Paper Data URI allows you to include data in-line in web pages via URL data:text/html,<body>hi</body> data:text/html;base64,PGJvZHk+aGk8L2JvZHk+
  12. 12. DATA URI + Google Forms + Tiny URL = Beauty Combining all these stuff gives a beautiful Phishing Attack. A Perfect addition to Social Engineering.
  13. 13. Basic Idea http://tinyurl.com/fb data:text/html,<body>hi</body> Google Spreadsheet credentials Injected with our JavaScript FB Server
  14. 14. JavaScript to do the work
  15. 15. DEMO http://www.youtube.com/watch?v=htoiN O50fBc
  16. 16. Channelizing Google SpreadSheet Google SpreadSheet can store data online. You can export the contents of the spreadsheet as json, rss and tsv Read and Write remotely SSL Hmmm! What else you want?
  17. 17. Selecting the right URL format Execution Time Data Length 9 600000 8 500000 7 6 400000 5 300000 4 3 200000 2 100000 1 0 0 JSON RSS Data Length TSV Source JSON RSS TSV Execution Time Source
  18. 18. What is xBOT? xBOT is a PoC bot. Uses Google Spreadsheet and Forms to implement it’s Communication Channel. Uses Google DATA API to extract the commands. Use a third party server for file hosting.
  19. 19. xBOT Architecture Command and Control Send Commands Google Form Google Spreadsheet File URL Send Response File Upload File Hosting xbot.py xBOT Victim Get Commands Every 4 Sec
  20. 20. DEMO http://www.youtube.com/watch?v=TBP7y nUalOY
  21. 21. Conclusion Nasty things can be built over Innocent stuffs. These are some possible ways an attacker could use. Interesting Fact: There is no captcha for Google Forms. That’s all
  22. 22. Thank You @ajinabraham ajin.abraham@owasp.org
  • tahersb

    Nov. 9, 2013

This presentation is about abusing Google Apps to implement various attacks that ranges from Hostless Phishing to setting up a Botnet’s Command & Control Center.

Views

Total views

8,513

On Slideshare

0

From embeds

0

Number of embeds

4,237

Actions

Downloads

62

Shares

0

Comments

0

Likes

1

×