Abusing Google Apps and Data API: Google is My Command and Control Center

7,577 views

Published on

This presentation is about abusing Google Apps to implement various attacks that ranges from Hostless Phishing to setting up a Botnet’s Command & Control Center.

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,577
On SlideShare
0
From Embeds
0
Number of Embeds
3,973
Actions
Shares
0
Downloads
58
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Abusing Google Apps and Data API: Google is My Command and Control Center

  1. 1. Abusing Google Apps & Data API Google is my C2.
  2. 2. #whoami www.opensecurity.in Information Security Enthusiast Founder of OWASP Xenotix XSS Exploit Framework Strong supporter of Free and Open Information Security Education. Runs a DEFCON chapter at Kerala. Another Leaner.
  3. 3. disclaimer All third party images are the property of their respective owners. Just pointing out how some innocent services can be abused. I am not responsible for anything.
  4. 4. Agenda Intro Abusing AppScript for e-mail bombing Data URI + Google Forms + TinyURL = Phishing Variant Google Spreadsheet + DATA API = A Botnet Communication Channel xBOT : A prototype Bot Conclude
  5. 5. Google Data API
  6. 6. Email Bombing: the old ways Methods of e-bombing Open Relay servers PHP/ASP/JSP Mail Functions Misconfigured Mail Sending features in Web Apps Now blocked by services like Gmail, Live, Yahoo etc. E-bombs will end up in SPAM folder.
  7. 7. Google AppScript Google Apps Script is a JavaScript cloud scripting language.
  8. 8. AppScript : Class MailApp
  9. 9. Little Mutation
  10. 10. DEMO http://www.youtube.com/watch?v=mTHIc dkdKXY
  11. 11. Data URI Data URI Phishing was described by “Henning Klevjer” in his Paper Data URI allows you to include data in-line in web pages via URL data:text/html,<body>hi</body> data:text/html;base64,PGJvZHk+aGk8L2JvZHk+
  12. 12. DATA URI + Google Forms + Tiny URL = Beauty Combining all these stuff gives a beautiful Phishing Attack. A Perfect addition to Social Engineering.
  13. 13. Basic Idea http://tinyurl.com/fb data:text/html,<body>hi</body> Google Spreadsheet credentials Injected with our JavaScript FB Server
  14. 14. JavaScript to do the work
  15. 15. DEMO http://www.youtube.com/watch?v=htoiN O50fBc
  16. 16. Channelizing Google SpreadSheet Google SpreadSheet can store data online. You can export the contents of the spreadsheet as json, rss and tsv Read and Write remotely SSL Hmmm! What else you want?
  17. 17. Selecting the right URL format Execution Time Data Length 9 600000 8 500000 7 6 400000 5 300000 4 3 200000 2 100000 1 0 0 JSON RSS Data Length TSV Source JSON RSS TSV Execution Time Source
  18. 18. What is xBOT? xBOT is a PoC bot. Uses Google Spreadsheet and Forms to implement it’s Communication Channel. Uses Google DATA API to extract the commands. Use a third party server for file hosting.
  19. 19. xBOT Architecture Command and Control Send Commands Google Form Google Spreadsheet File URL Send Response File Upload File Hosting xbot.py xBOT Victim Get Commands Every 4 Sec
  20. 20. DEMO http://www.youtube.com/watch?v=TBP7y nUalOY
  21. 21. Conclusion Nasty things can be built over Innocent stuffs. These are some possible ways an attacker could use. Interesting Fact: There is no captcha for Google Forms. That’s all
  22. 22. Thank You @ajinabraham ajin.abraham@owasp.org

×