11.21.2017

Easy Start

Lets start this off easy by saying, hi my name is irrelevant and everything should stay disassociative, however if you spent 30 seconds of google, especially because of using a google service, you can find me and I encourage it. I have no ill-will towards those who want to spend the effort to learn something, even the trivial things. That is what we do, as a species and as the infosec/hacking community. We live to peer into things you would rather hide, we see things others would rather lie about. No reason to sugar coat it, laws are irrelevant and only the truth exists. It's the "white hat" community that gave the title of blackhats and whitehats and this (ugh) claim of grey hats. By blackballing people who were willing to commit crimes you segregated the world into black and white instead of accepting that they do the same things you do but use it for other purposes. With that said, if anyone is still paying attention, today I've been playing with a few rats and wanted to discuss some usage and features.

Before we get into the usage I would like to discuss a trait I find common and have long past seen in the "neophytes" learning section. For real, I can't believe so many infosec people don't understand this shit, but I'll get into that momentarily. When you, as a person/criminal/actor/perpetrator, decide you want access to something you usually have a motivation. When psychologists tell you that you have to have desire, they expect this to be true in all things and that all people have a motivating force for every interaction they do. If your motivation is greed, or gluttony or lust, your purpose is easy to define. Hence everyone in the general ecrime world is considered to have greed as their purpose. It's never a "they're literally just trying to survive" it's "they want moar because moar." The issue here is that many times, as a person of the hacking mentality, you will be asked to help someone right away with technologies you may not actually know very well. You may be asked to do things that you don't see a reason to do. You may also see reason why information needs to be available. These are realistic motivations in the eye of the actors that the infosec community misses. They don't believe digital anarchy artists exist, they're extremists whos views go against their governing bodies. Art over war. When you are asked to do things, you need information fast: don't be a buffoon and go asking for data on "how does I hax" in an open forum where police might stay. This isn't for the protection of those around you, it's for your own protection. If they help you, they could be liable in some countries. But for you, you could be targeted by feds yourself. Not going to do you any good to get arrested before you accomplish your goal. It's just not. If you do work with a tight nit group or a loosely relevant but tightly controlled group, you can reasonably ask freely for questions like this. If you are wanting to learn for educational purposes, or wanting to learn to do things you couldn't before in a non-criminal stance, you can ask for these things under these guises but sadly people are too worried about getting arrested themselves to help. There are plenty of bulletin boards available to ask questions but the same situation happens in most. If you're willing to shell out some money up-front you can get prepared a little quicker. You can also do things like buying and reading the fucking manual. That IS a thing you can do (plox share, we can't get all the manuals online unless everyone shares. Some people can't shell out the money or are too young to work for the money for this. K thnx). When you get involved in this world, you need to remember two things: judging your chances should be an instant response more than 4 moves ahead of the present activities, and anonymity is not security. Some other basic lessons that are literally on every neophyte guide:
  • Yes sometimes it means busting your ass at a dead end job to have the money to get the information and learn the system in order to break it. 
  • Yes, sometimes you will get arrested and you need to be able to cover your assets. 
  • Yes, backup of backup plans is a must, and a wee bit of complete paranoia is essential. Those kids beating you up as a child came in handy now didn't it? you learn to respond in a  functionally more adaptable way. This has helped you seek information, helped you seek truth. But truth is a crime. Might as well learn that now. 
One setup I've been playing with lately for my virtual machines (VMs) is to spend the cash to spin up a few services/servers/port-controllable php space and burn through rotations of dns resolutions. For the dns part, I made a quick script to setup multiple sets of no-ip domains. After got many of those running, I went back and made a flat file list for the usernames/passwords/domainnames. Then, to resolve those domains, I have a script that rotates (python random.randrange) repeatedly between each of the domains then each of the ips. It changes a domain to a different ip every (again python randrange) 3-300 seconds. From that, have functionally 30 or so no-ip domains to play with (script can also change other domains, but notably leaving this as no-ip for the purpose of this discussion). The ip list can have servers I control, servers other attackers control, servers that are fair game or federal government servers. It's just a dns resolution. Why would anyone but me be playing with it anyway? Can we track people who track no-ip domains? Can we track when it's sent across facebook to an "encrypted" chat and redacted (changing : to [:] for example) then suddenly it's hit not just by facebook when you control both accounts? Is our communication at risk? Lets not actually get into that right now. Would be a dangerous slope to go down, don't want to start a fight here. Anyway, so multiple domains each at semirandom intervals changing ips, and only maybe 5 of those are connecting back to anything I control the ports for. Which is where the malware would need to point back to right? So lets point it to those, and move forward.

Speaking on forwarding, public server :9001 -> ssh to other public server via tor forwarding 9001 to 9001 of the next system <-> over ssh reverse proxy from your vm over tor and a vpn as well (yolo?) -<-> port forward to the other vm over host only adapter. All of these series of ssh-ing can be automated as well (honestly python, clusterssh, bash, if y'all can't figure out ssh key auth, i'm not going to be the one to help you folks today).

This effectively makes the premise of the vm that's used as a c2 being behind multiple proxies, multiple rotations, multiple systems, and is in a host only network. Of course, if you have a laptop you can drop in a public place, power, and remotely access with network access and vms spooled up, that would be nice, but lets be real nobody's got time to go do drop offs at their local hotels or whataburgers. hehe. Instead, there is the risk that in that chain your tor useage would have a fairly unique signature and be trackable. So at least use the neighbor's wifi or something right? Whatever, anyway I've been playing with this architecture design lately because it lets me do 30 second drops and runs without losing investment into most services. With the infosec reliance on gathering iocs the WRONG WAY, you can pretty much bet that after 3 minutes if you're in and out, you're pretty much golden. So it's worth it to also prepare yourself with a file or two that destroys everything (python can 0fill files, delete file, then burn diskspace and delete that, making an effective tool for a burner virtual server). People don't like antiforensics but it's easy to forge and destroy with just a little scripting. I'll do another blog post about forensic forging at some point I'm sure, but for now, easy mode is just 0, trash, overwrite allocation. Lets use a cloud hosting company, we'll call supercloudB. It's a subpar cloud hosting company, which means their time to detection is way too high and their time to analysis is even worse. Then lets remember that if someone tries to shut us down, they need to be able to prove to that company's abuse team why it's shutting down.

Now, we still haven't gotten to the rats yet, this is on purpose. We need to analyze our field of vision before an attack is used. We still haven't even discussed possible delivery methods. We can spam everyone in the world on a massive spam list, but you'll only catch a few of them and it's easily detectable. Spam scripts need to automate various methods of attempts, like hosting publicly and directing them to it via link, creating malicious document then using googledocs to load it on the email's open, do the same with some images and run them through bit.ly (because tracking opens versus infections allows analysis for next round). You may need a driveby download and hit people on forums or social media otherwise, maybe you need it to be driveby you expect them to load on their email loading (do they really allow js in their emails? maybe if they're a webhosted email?). I won't speak on best methods for this idea, but with the automation in place, a single python script can scrape together methods for all of these and templates can be built and set in place. If you haven't figured it out by now, i'm giving you the keys to a platform that can be weaponized if some ass hole wants to make it. Without giving you the code, I'm just an influencing factor maybe? Regardless, this isn't something of a malicious code, more of a platform for running testing environments over open internet space.

Now, you have an infrastructure, you have a delivery method, you have some extra tools, lets go ahead and say all of this was placed into a single folder. With scripts capable of referencing each other and made interactive. So you look and see your 30 domains constantly changing, 5 actual servers, 40 email templates with optional spaces set for randomized or semi-randomized data to be added, and 2 vms. You could even preselect places to upload to, such as slack (public files), dropbox, box, etc.. etc... or even in some hijacked cms sites (if you're the kind who plays games with cms and makes plugins purposely supporting rfi, this entire process may seem pretty straight forward to you).  It's almost like you could dockerize this entire thing and add cleanup scripts into it itself as well? maybe. anyway so all that's left is for the malware. I, like many people, would use rats because peering into things. Right? Well sometimes people do it for control, but honestly I don't want control or power or money. I just want whats true. That's my weakness. Truth. It's a crime these days. So, with a quick in and out, we could actually easily make our own or run with someone else's. The reasons to run with someone else's is really for longevity. Use a paid or free generator and hit 10,000 people, and after 2 weeks 30 of them are still alive, on those 30 you can dump your own knowing you have a backdoor available for you if yours gets killed or found. So just spin up some free malware that can do what you want. The good part is, by stealing creds you can then sell them for money for better rats and continue your campaign (if you were a criminal type who wanted to do this all the time), or you could start a database somewhere for further leverage purposes.

Oh, that's another thing we should talk about: leverage. Hacking is an art of leveraging. You have a fork, you take that fork and use the butt end to stir your chocolate milk because you weren't given a spoon or straw or something better suited to stir with. Hacking is functionally accepting what you're given and using a series of leveraging. Every technique a hacker has is designed not as a one shot, but as a leveragable chain. It's when people mass produce these one shots (here's lookin' at metasploit) that people begin to think it's all about using the software or making your own, or limited to just computer related hacking. For my examples today, I will be using malware collected from rekings.com or github, or wherever I found the rest. Rekings is site known for selling malware, tons of free shit, most of which people will argue it's infected then they'll say prove it, and no one will. Lets be real folks, if it's not infected, you're doing something wrong. haha. You must accept what you're given and adapt. If you can't burn your pieces when you're done, you shouldn't have been playing chess. That's why I suggest a vm as the proxy out, via proxy network, being separate from the vm that is host only adapter that can communicate with the proxy one. Your proxy can stay back, while you load and reload your c2 vm. easy enough right?  

So after long enough torture:

  • Winderps Malware
    • Notes: 
      • Almost all of them have a builder function on the panel. 
      • If it can spy and do administrative functions, face it, it's a rat.
      • There is plenty of them
      • Many of them are under the guidance (via eula) that the liability is on you if you choose to use it for malicious purposes. Yay software licensing. 
    • XtremeRat 3.7:
      • Uses connection password (large field, use a large key, because you can), this on most things isn't really useful and could be replaced with a file by file generated pgp key pair. But, hey, it's free. 
      • Modular (add your own dlls, this version came with bromasc.dll to add to it). These functions are highly marketable and when written right can be sold for more than the fully functioning malware itself. 
      • adjustable mutex, dns/ip:port setup, adds additional malware payloads (might as well dump a meterpreter shell here, or dump a real executable already binded with meterpreter. Hell, for our purposes, lets dump ccleaner or whatever the latest version of adobe reader is. Why? because these are common tools that have a set path on where they're going to be downloaded from, find it, script it, always provide the latest. ;) 
    • Babylon RAT
      • Has traffic key, dns and port setup when building
      • Several features for installation of builder, but mostly normal shit
      • Cache of all recovered passwords, cache of all socks proxies able to be setup through clients (huge benefit for further leveraging)
      • functions available are geared towards real control. Like cmd or remove webcam, versus arbitrary command like function and small screen captures as some of these rats do. 
    • Hakops
      • pretty normal shit, nice interface, which it had more languages. 
      • nothing really else to say about this.
    • Plasma Rat
      • One of my favorites, works REALLY well for this type of setup where I need to be killing off my services after only a few minutes.
      • designed to have command by command waiting for the bots to check in
      • many infosec monitoring tools work the same way this does, but this gives you control over it
      • pre-define a set of commands for every bot to do and log results, including mining tasts, keylogging, downloading, etc..
      • Good replacement for pony if people would start automating this, or dump this to a web interface so people on that side of the market can use it. 
    • pandora rat:
      • My favorite for several reasons most of which we probably won't discuss. 
      • pre-define commands, multiple ports, etc.. etc.. usual crap
      • has a downloader part of it's generation scheme
      • you can build your own bot functions
      • you can build your own plugin functions (again, back to modular sales)
      • detected by just about everything so may need crypting
      • Expected almost 95% detection rates, so out of 10,000 successfully downloaded, you're looking at maybe 500 of those staying on for a few days, which will drop to about 80 after a week. Those 80 may stay for 6 months or so and dwindle down to (assuming numbers here btw) around 15 for long term infections. But that's okay because %.15 or less is still leverageable for a timeline that's more than the amount of jail time people would get.  Meaning as a contingency plan, pandora rat works wonders that many people don't think exists. 
    • Dozens of others:
      • I've covered with these ones the gist of my thoughts about these rats and most rats function the same or similarly. It's worth investing the time in testing or studying them where possible to understand what works for what leverage and when. 
  • Android Malware
    • AhMyth
      • I don't like anything that insists it needs to be installed to the c2 to be used. No one likes this. 
      • Effectiveness depends greatly on the permissions it gets
      • worth it to bind a meterpreter shell with this so you can add custom functions such as priv escalations. 
      • Good enough to spy on a few dozen people at a time, not much more (memory whore)
      • osx-style look, works well for the c2 being able to be on mac, lin, or win. So the ui doesn't exactly suck, but it's pretty white for the average users. They should go back to their day job as frontend web and app developer. 
    • Androrat
      • compile yourself
      • still sucks
      • oh gawd why does this suck
    • BetterAndroRat (github):
      • Web based (rfi and load load load)
      • easy setup
      • functions still pretty much suck, but if you can script a permission escalation that works for the latest android, you could take over dozens for a brief period of time, or set one out to get minimal permissions until you want to use cooler toys. 
      • target almost has to have root to use this anyways, which sucks but at least almost everyone roots android phones. 
    • Droidjack
      • easy to use java interface
      • building, binding, running works comparible to winderps rats
      • relies heavily on apktool, which doesn't compensate for the latest updates, so unless this will continue to be updated, this has a shelflife
      • permissions issues happen, and easily detectable by everything under the sun. 
    • Spynote
      • My favorite of the general android stuff
      • functions similar to windows rats
      • can be bound with other tools to get permissions elevated easily
      • functions actually work. Geebuz christ this is a thing I must stress. It works, so long as permissions are given. Try it out on a vm, load up call, sms, file, or account manager and run with it,
    • TheFatRat
      • works to bind any of these to eachother or anything else just about (try with ccleaner latest, it works better than you'd expect)
      • uses metesploit scripts
      • apparently doesn't understand what the fuck a space is (if you have a space in your directory tree, you know what i'm bitching about)
      • may have to run it on different systems to get all functions working, I've rat it on several and dear lord it's trash. 
  • Linux/unix Malware
    • Honestly you don't really need super specialized malware to hit a linux box so long as you can pop a shell. 
      • via browser -> works. 
      • via email -> works if you know what you're targetting
      • random servers just exploit remotely if plausible
      • Your best reverse shell will always be abusing /dev/tcp/, vnc, or ssh. Since these are always used by admins, defining difference would only be if they could determine you from them. And with a connect back ssh session, such as from an apache module location instead of the actual file (just have it open in it's new location when you move it, it'll be fine) is usually apt. Such as, idk, just throwing one out there, libphp5.so.
      • Every ctf in the world tests hackers ability to leverage linux, so this shouldn't be hard at this point guys.
    • jrat
      • Works pretty well, has limits, to me it seems like a good way to hop from web browser to disk, then get something else to give more permanent connect back functionality. 
    • any available scripting language (lol)
  • Mac/ios Malware
    • While there are a few, here's a particularly cute notion I found:
      • https://github.com/neoneggplant/EggShell
      • and https://github.com/mosca1337/OSX-Peristant-BackDoor
      • OR https://github.com/checkyfuntime/iMessagesBackdoor

Lets just stock pile these and randomize what we send to who and when, and like everything else, targeted but randomized allows multiple targeting attempts. So, lets take a step back here. We want to see multiple aspects of our playing field and we have enumerated so lets dive from a different view. Targets get email, or sms, or hit infected site, or join chat site and click link because people in tech like games (lul discord/slack/twitch) -> user via one means or another, all of which can be automated or randomized between them, gets infected -> infected hosts all query for various dns entries at various intervals -> when the correct ip lines up the communication path will be (infected host -> server -> tor -> other server -> tor -> vm -> c2 vm (if you're thinking this could cause time outs, yes, yes it can,but thats okay)). Now lets think about it again from our attacker standpoint. We need somewhere to launch all this that can control the vms, control the various hosts, control the dns, control the email sending, etc... well, I'd pick the proxy vm for the coordination efforts. But that's just me. I say that because it would allow the full thing to be automated in a bastardized attempt at a spying (rat) botnet structure standup and monitoring. If you did everything right, your vm, or vms really, that you want to use for the c2 structure, could even be over tor or i2p and not at the same host as your other machine, but then your connection would be so slow nothing would touch it ever. so we have on our (attacker) side, need to manually spin up a few servers on an hourly basis, update and run this part (generate ssh keys, setup ssh key authentication, remotely chain ssh sessions), load our additional scripts such as file destruction scripts wherever we need them (scp, again automatable probably through just a bash script), spinup our already scripted (remember i said this earlier) command panel so we can see everything running and connections and all that. then select the files, templates, domains, and ips, to choose from and let it churn. If you keep your actual ips out of the mix long enough, you can check back on it in a few weeks and see what you have left or what you can leverage. It sends that out, you get responses back, you interact as you wish because your wishes are probably different than mine.

So, what is the purpose of this post? 
A. I wanted to introduce myself and my way of thinking as a simple example of bitching at the general hacking culture including the infosec world. Wanted to rant a bit about how shitty generic software was and the way people think about hacking. To be frank, I wanted an introduction to who I am. My name is meaningless, my title is classless, and my function is visionless. But I can make countless literary and cultural references while typing that people may have overlooked. Lets be real, I speak in allusions. 

With love,
- Ferasdour.
https://keybase.io/ferasdour

No comments:

Post a Comment

2am rant