Who Am I ? • Currently Helping local law-enforcement And Helping. In Securing
Some Government Websites. • Developer Of IND 360 Intrusion Detection ...
Handle Explotion of Remote System Without Being Online !! By Merchant Bhaumik
Who Am I ? • Currently
Helping local law-enforcement And Helping In Securing Some Government Websites
• Developer
Of IND 360 Intrusion Detection System ( Host Based As Well As Network Based Detection )
•
Communicating with Metasploit Guys To Develop Term Called “ Universal Payload”
We Will Understand This Mechanism By Considering One Scenario……..
Jack’s Situaion………. Jack Working In A Company ...............! In Which All Computers Behind The NAT BOX……. ………………………! And He Just Decided To Break One Of The System Of His Office And Getting Shell From Office To Home Computer
Problems For Jack…. •Company Has NIDS/IPS ( Network IDS ) ….. So No In Bound Connections…………. •He Don’t Know What IP Address Is Allocated By His ISP •He Can’t Use Any Mechanism Which Constantly Sends Some OutBound Traffic
Good Thing For Jack….
• Jack’s Office Allow Him To Access His Gmail Account..N Allow Some OutBound Traffic..
# INCLUDE
Normal Remote Trojans & Viruses !
Attacker (Must Be Online !)
Victim (Must Be Online !)
My Tool !!
Caution: No Need To Be Online !! Attackers !! Attacker MAY OR MAY NOT ONLINE !!
Victim MAY OR MAY NOT ONLINE !!
So, How It Works ??
Zombie
Attacker
Victim
But, Who Is Zombie?? @
It may be one of the below :
It is one of like it…….
Or one like this…..
Or like this…….
Features !! Execute Operating System Level Commands By Using Emails ! Get all Network Card Information with Allocated IP Addresses ! Live Tracking Of the System being used by victim ! Get All available account‟ List !
Enable/Disable Key Logger !
This All Stuff With Gmail , Yahoo , Hotmail………!!
About It ! It is a simple application which Once Up & Going on Victim‟ Computer , Attacker can Handle it using Gmail , Yahoo , Hotmail Email Services… There is no need to be Online for Attacker to attack the Victim System….. Attacker Has to send attack instructions to Any of the mail service & then it is like sitting on the door & watching the event , “ when it‟s gonna open !!” As Victim Connects to the internet …. Attack Launches & the results are automatically sent back to the Attacker‟s email Address…..
Cool Benefits !! If the email account is used by using One of like below then it is totally AntiForensic ! No Reverse Detection Is Possible !
Create Unique password for all individual victims who are infected …
Ability to handle multiple clients simultaneously ….. Delete Files In Victims Computer by Simply Sending An Email..
No Antivirus Can Detect Attack Because Of HTTPS ……
Tool Syntax ….. Password_For_Victim “: “Task_Commands”:” E.g. Pwd$98$ : Account_info :
“Pwd$98$” is Password For The Particular Victim…
Command Which Sends back Email Containing Account Info In Victim Computer !
Snap Shot 1…(Load Attack Instructions) Password For Individual Victim
Send Account info Of Victim.. Send Drive Info Of Victim… Sends Mac , Network card Info...
Snap Shot 2…(Get Back Attack Result)
Attached Info Of Victims Computer…! As Per Of Attacker‟ Choice
My Emaill Account …… !
Why Gmail ??
No Fear Of Detection 1 No Direct Connection Between Attacker & Victim
Attacker
Victim
No Fear Of Detection 2 No Virus Detection Due To HTTPS…..No Digital Signatures !! Ability To Distruct It Self…….!
How To Spread This Code?? Autorun.inf by USB Drives……….
Phisical Access Of Victim‟s System…..
During Metasploit Explotion ……
Further Possible Development !! This Code Is Flexible Enough To Develop Further By My Hacker Friends….It Is Also Possible For Future To Send Exploits Or Trojans By Using This Code……. Any One Can Send Exploits , Trojans , RootKits , BackDoors By Simply Attaching It With Email And Sending It To His Own Account Or Account That is Configured In Victim‟ Code………
Pros N Cons 1 ! ( Be Transparent !! ) Advantages are that the attacker never goin to caught if he/she using the browser like TOR , Anononymizer , VPNs or Any PROXy…. For accessing the attacking gmail account. No Antivirus can detect the Instruction data because all traffic gonna come from HTTPS …..! Only single email account of gmail goin to use for both the side. Attacker and victim machine both goin to connect same account but attacker knows ,But Victim Don‟t !!
Pros N Cons 2 Disadvantage is that , if the victim has habit of checking the current connections using commands like „netstat –n‟ then possibility to detect Gmail connection when actually there is no browser activity. But still it is difficult to detect ………. Because process is running in Hidden mode….
Hands On Time..! ( Demo)
For More……
[email protected]
Thanks Guys For Checking It Out …….!
