Darren Kitchen Posted September 27, 2006 Share Posted September 27, 2006 Say, hypothetically, that we've owned a box. Box of course being a Windows 2000, XP, or 2003 computer. And that box is now doing some data recovery for us. And you no longer have access to the box either over the web or physically, but you want it to transmit the data that it's been gathering to you somehow. It needs to do this periodically and invisibly. That means that a schedule task set to run a batch script which initiates an FTP connection to "the mothership" in order to upload said goodies isn't the best solution. How would you go about it? Remember, this box is owned and whatever owned it can install whatever is necessary to make this happen. My thinking is a simply program that runs resident and FTP, SFTP, whatever's the goodies back home on a set interval without showing up in the usual places. Invisability to the user is a must. Thoughts? Oh, and incase you're wondering, yes this is the second half of a problem I'm having with a proof of concept hack for the next episode so the sooner I figure out how to get the goodies back home, the better. Mad props for any working solution. ;) Quote Link to comment Share on other sites More sharing options...
moonlit Posted September 27, 2006 Share Posted September 27, 2006 Maybe a small IRCd that collects data then fires it all out at a particular time of day/day of the week to a channel somewhere? Quote Link to comment Share on other sites More sharing options...
VaKo Posted September 27, 2006 Share Posted September 27, 2006 Set it to post the information you have collected to a forum, or a blogs comments, at a specific time in a specific place. Won't look that suspisous, and since your using an unaware 3rd party to do this, the odds of it being traced back to you are minimal. This would only work for specific types of data, and you could encrypt it if needed. Quote Link to comment Share on other sites More sharing options...
moonlit Posted September 27, 2006 Share Posted September 27, 2006 Only thing with that though is it might get nailed as spam and removed... :) Quote Link to comment Share on other sites More sharing options...
404 Posted September 27, 2006 Share Posted September 27, 2006 I think channeling the information to a third party like mentioned above is the way to go. In the days of dial-up access, we coded a little tool that would post the information to alt.test, a pr0n newsgroup, or any other group where the message would go unnoticed. Everybody had access to newsgroups with their dial-up accounts then, so you could ride on the owned user's account, and retrieve the information anonymously. A simple encryption and a flag to find it was all you needed. It beats having the info mailed or IRC'ed to a certain account because there was no account or channel to track back to. Quote Link to comment Share on other sites More sharing options...
VaKo Posted September 27, 2006 Share Posted September 27, 2006 Thats why you pick blogs or forums where there not on the ball about spam. Must be hundreds of blogs out there where the comments sections are nothing but 200 pages of spam. You could even find a blog that appears to be dead, pick an old article and use that. If you do your research you should be able to find a suitable drop box. Hell, you could even make your own specifically for that purpose. Pick free blog account, make comments public and anon, and go to town. Quote Link to comment Share on other sites More sharing options...
moonlit Posted September 27, 2006 Share Posted September 27, 2006 Yeah that would actually work when you say it like that :p Quote Link to comment Share on other sites More sharing options...
404 Posted September 27, 2006 Share Posted September 27, 2006 Thats why you pick blogs or forums where there not on the ball about spam. Must be hundreds of blogs out there where the comments sections are nothing but 200 pages of spam. You could even find a blog that appears to be dead, pick an old article and use that. If you do your research you should be able to find a suitable drop box. Hell, you could even make your own specifically for that purpose. Pick free blog account, make comments public and anon, and go to town. Blogs, forums - webpages that take visitor's input can be closed or taken offline at any given time. Setting up your own blog means that there's traces back to you, so you'd have to take an extra step to hide those. Visitors and bots on an IRC channel can be tracked as well. Which messages you read on usenet is practically impossible to track unless they're already keeping an eye on you, so that's why I feel newsgroups are the best solution of the five discussed here so far. Quote Link to comment Share on other sites More sharing options...
VaKo Posted September 27, 2006 Share Posted September 27, 2006 Use a hacked wifi AP, tor etc to create the blog. Add a few posts to it, creating a false user (14yr old kid in Boston...), and make it look like the user lost interest in it. True, it can be taken off line, but its unlikely. Posting to predefined webpages runs the same risk to a lesser degree, but its minimal. However, I do like the news group idea, removes those risks. Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 27, 2006 Author Share Posted September 27, 2006 maybe I should clarify a bit. We're talking about potential tens to hundreds of megabytes, though likely only tens at a time. I agree that a public drop point is better than a specific drop point for anonymity sake. So, would anyone happen to know of some code that already does something like this? I'm so close to having this thing complete and it's a really sweet hack but without the *have owned box send goodies somewhere* part it's not as sweet. I know with some time we could probably code up something that splits up the data into chunks and uses stenography to upload the data to flickr, but I dont have the tools or time. Grr. Stupid deadline. Quote Link to comment Share on other sites More sharing options...
404 Posted September 27, 2006 Share Posted September 27, 2006 In which language are you coding it? C++? Quote Link to comment Share on other sites More sharing options...
stingwray Posted September 27, 2006 Share Posted September 27, 2006 Well if it was linux then I would use e-mail, don't know about inplementing that for a Win32 platform. Quote Link to comment Share on other sites More sharing options...
VaKo Posted September 27, 2006 Share Posted September 27, 2006 Email chokes at 10mb or so though. To be brutally honest, if your moving tens to hundreds of megs of data from a machine, someone will notice. May as well pwn a server in a 3rd world country and use that. Make sure you route your data threw as many different legal systems as possible. Quote Link to comment Share on other sites More sharing options...
Jimbo Posted September 27, 2006 Share Posted September 27, 2006 How about yousendit or something similar... large drop box, upload through HTTP, deleted after short period of time, can be accessed through TOR. Quote Link to comment Share on other sites More sharing options...
pseudobreed Posted September 27, 2006 Share Posted September 27, 2006 If I had to come up with something quick, I would: -WinRar command line to split the files into chuncks. -Blat command line with some fake smtp account and email the chunks to another fake email address that you can log in from anywhere to get what you need. -Batch it all up and use "at" to send when you need it sent. Since the default profile is system, it will run the batch silently. However, Im not sure how much someone will not notice... especially depending on the firewall and or av. Quote Link to comment Share on other sites More sharing options...
Guest Posted September 27, 2006 Share Posted September 27, 2006 I still say using a web site to collect the data is the best idea. It doesnt have to acutally be a used blog or anything. Just find a free web host that allows php or something like that. And upload the data that way. If the data is to large then do the other idea of zipping it or something into usable chunks. The website doesnt really need to have anything on it. All though it could. You could even use some php code to check if its the program calling it or not. And if it isnt display some nice little page to the user. As for the web site can be shutdown, you can get around that with a secound website. Have the program call home to one site that has the location of the drop point, it then use's this location. Quote Link to comment Share on other sites More sharing options...
pseudobreed Posted September 27, 2006 Share Posted September 27, 2006 This all really depends on how sensitive the data is and what you want to do with it. Do you just need to dump the info and come back later to go through it? Or, do you need to dump somewhere to parse and return something to somewhere? Quote Link to comment Share on other sites More sharing options...
cooper Posted September 27, 2006 Share Posted September 27, 2006 The way I see it, the trick is in hiding the traffic. For that, the sheer volume of 10s of megs and up is troublesome. If it was a small amount, you could set up a DNS or NTP server that takes in a bit more info than a normal one would. In any corporate network you're lucky to get ports 80 and 443 out, and chances are there's a proxy to pass through, so take that into account. Your only option is to run or take over an HTTP drop-on server that you can zip the data out from easily, and disconnect yourself from with plausible deniability. Try to use some _HEAVY_ compression to reduce the traffic though. Maybe pre-parse some of that data. I mean, seriously... 10s of megabytes? What the hell are you trying to transfer? A full disk backup? You sure you need all that crap? Maybe it would be better to have a remote place that gets polled by the box every so often. You post a command, it executes it and posts the response. Access without having access. :) Quote Link to comment Share on other sites More sharing options...
VaKo Posted September 27, 2006 Share Posted September 27, 2006 Thats why I suggested using 3rd party blogs, if anyone checks, it just looks like normal web usage. Unless its a server, then anything they don't recongnize is suspisous. Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 27, 2006 Author Share Posted September 27, 2006 Ok, consider it's 32 MB. How does that change things? Also, transfer of this data does not need to be secure. I really like pseudobreed's idea of splitting the data in RAR files and sending out to a junk gmail/yahoo mail/etc account using blat, however three problems come to mind. 1. Blat is an awesome tool for sending attachments through SMTP via command line, but as far as I know blat does not have it's own SMTP server, thus requiring an open SMTP server, or SMTP server from the ISP. Not going to work. 2. AT command schedules tasks really nicely, but the command will show up in the Scheduled Tasks folder in control panel. Sure it's not a biggie but it'd be better if it wasn't that visible. An invisible (to the average user) application that runs on startup might do the trick. 3. "Batch it all up." Now you're speaking my language. Quick and dirty, easy to modify, but one little problem. Not so much with the stealthy. Though I must say I haven't tried using the .vbe from the switchblade to run the command without a visable console. that might solve the problem. Anyway for what I'm trying to do this is the closest thing to a solution I've seen yet. I'm on all night working on this hack so if you want to get a hold of me I'm on irc.hak5.org #hak5 and skype: username Hak5Darren. Quote Link to comment Share on other sites More sharing options...
Ebola Eater of Packets Posted September 28, 2006 Share Posted September 28, 2006 I can't think of how you would implement it, but one could consider the use of bittorrent as a media. It's not very widespread, but if a modded version was previously uploaded, that might be quite effective. Big torrent sites like Mininova and Torrentspy get loads of spam daily. Quote Link to comment Share on other sites More sharing options...
PoyBoy Posted September 28, 2006 Share Posted September 28, 2006 Id add a service that that runs a batch file. This should be much more stealthy than scheduled tasks, i think Quote Link to comment Share on other sites More sharing options...
pseudobreed Posted September 28, 2006 Share Posted September 28, 2006 Oh yes, I like the service idea. Just have to make sure the remote service is running, create your own that rar's and send the files out. With Blat out of the picture, Im not sure what you have left to use. Im assuming you are just assuming the user only has ports 80, 110, 443 open?. Or maybe you can port scan real quick to see what outs you have available... Didnt I hear something over at sploit how some guy sent packets using ping? Im going to look into that. And, I wonder how hard it is to make a SMTP server... @Cooper I cant remember the program, maybe firewalk or something, but you could actually ask the firewall what rules it had in place. On some firewalls (PIX for sure) it will allow traffic to pass through if it's in the DMZ. However, that's not a failsafe way of pulling it off. Getting the proxy information is easy as soon as you figure out what broweser they are running. Then you could just piggie back over port 80. Unless SNORT is running on outgoing traffic as well. Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 28, 2006 Author Share Posted September 28, 2006 Blat really looks like the best option for this hack. We just need a lightweight, command line, local SMTP relay. http://sapes.sourceforge.net/docs/configur...html#config.txt and http://emailrelay.sourceforge.net/ look ok at first glance. I'm digging deeper right now. If we can get email to send without the use of the 3rd party SMTP server that will fix one of the problems. I do believe I saw a program a while ago that will allow you to register a BAT as a service. If that's the case all we need is a batch file that runs a loop to process a few commands every 6 hours or so. Actually, know what? As I type this I think there may be a better way to initiate all of this, but it would require just a tiny itty bit of C code. I've got the source of the utility that I'm basing this hack off of. It runs resident and performs a data gathering action when certain paramaters are met. Since it's already resident in memory and initiates the hack when it's needed the best solution would be to at least run the batch once it's done with the data stealing. I havent touched C since a programming class 4 years ago, but I've been keeping up with PHP which in a very loose way is similar so maybe I'll try a dirty hack and just add a system() command to initiate the batch. Then I just need to find a half decent C compiler for windows and make this bad boy. Assuming that all works the only thing left is to transmit the data, and I think between RAR to split the files, a local SMTP mail transfer agent, and blat, this is totally doable. I know I'm being a bit vague. I apologize. If you've got C experience and want to help with this I can give you all the details on IRC, PM, skype conf, etc. I'll be up all night working on this so if you're up for some fun let me know. Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted September 28, 2006 Author Share Posted September 28, 2006 So it turns out that gmail has its own smtp server. oops. forgot about that. im pretty sure blat will work with its auth requirements too. *scha-wing* testing... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.