Jump to content

Getting data off a an owned machine


Darren Kitchen

Recommended Posts

Say, hypothetically, that we've owned a box. Box of course being a Windows 2000, XP, or 2003 computer. And that box is now doing some data recovery for us. And you no longer have access to the box either over the web or physically, but you want it to transmit the data that it's been gathering to you somehow. It needs to do this periodically and invisibly.

That means that a schedule task set to run a batch script which initiates an FTP connection to "the mothership" in order to upload said goodies isn't the best solution.

How would you go about it? Remember, this box is owned and whatever owned it can install whatever is necessary to make this happen. My thinking is a simply program that runs resident and FTP, SFTP, whatever's the goodies back home on a set interval without showing up in the usual places. Invisability to the user is a must.

Thoughts? Oh, and incase you're wondering, yes this is the second half of a problem I'm having with a proof of concept hack for the next episode so the sooner I figure out how to get the goodies back home, the better. Mad props for any working solution. ;)

Link to comment
Share on other sites

  • Replies 65
  • Created
  • Last Reply

Top Posters In This Topic

Set it to post the information you have collected to a forum, or a blogs comments, at a specific time in a specific place. Won't look that suspisous, and since your using an unaware 3rd party to do this, the odds of it being traced back to you are minimal. This would only work for specific types of data, and you could encrypt it if needed.

Link to comment
Share on other sites

I think channeling the information to a third party like mentioned above is the way to go.

In the days of dial-up access, we coded a little tool that would post the information to alt.test, a pr0n newsgroup, or any other group where the message would go unnoticed. Everybody had access to newsgroups with their dial-up accounts then, so you could ride on the owned user's account, and retrieve the information anonymously. A simple encryption and a flag to find it was all you needed.

It beats having the info mailed or IRC'ed to a certain account because there was no account or channel to track back to.

Link to comment
Share on other sites

Thats why you pick blogs or forums where there not on the ball about spam. Must be hundreds of blogs out there where the comments sections are nothing but 200 pages of spam. You could even find a blog that appears to be dead, pick an old article and use that. If you do your research you should be able to find a suitable drop box. Hell, you could even make your own specifically for that purpose. Pick free blog account, make comments public and anon, and go to town.

Link to comment
Share on other sites

Thats why you pick blogs or forums where there not on the ball about spam. Must be hundreds of blogs out there where the comments sections are nothing but 200 pages of spam. You could even find a blog that appears to be dead, pick an old article and use that. If you do your research you should be able to find a suitable drop box. Hell, you could even make your own specifically for that purpose. Pick free blog account, make comments public and anon, and go to town.

Blogs, forums - webpages that take visitor's input can be closed or taken offline at any given time. Setting up your own blog means that there's traces back to you, so you'd have to take an extra step to hide those. Visitors and bots on an IRC channel can be tracked as well. Which messages you read on usenet is practically impossible to track unless they're already keeping an eye on you, so that's why I feel newsgroups are the best solution of the five discussed here so far.

Link to comment
Share on other sites

Use a hacked wifi AP, tor etc to create the blog. Add a few posts to it, creating a false user (14yr old kid in Boston...), and make it look like the user lost interest in it. True, it can be taken off line, but its unlikely. Posting to predefined webpages runs the same risk to a lesser degree, but its minimal. However, I do like the news group idea, removes those risks.

Link to comment
Share on other sites

maybe I should clarify a bit. We're talking about potential tens to hundreds of megabytes, though likely only tens at a time. I agree that a public drop point is better than a specific drop point for anonymity sake. So, would anyone happen to know of some code that already does something like this? I'm so close to having this thing complete and it's a really sweet hack but without the *have owned box send goodies somewhere* part it's not as sweet. I know with some time we could probably code up something that splits up the data into chunks and uses stenography to upload the data to flickr, but I dont have the tools or time. Grr. Stupid deadline.

Link to comment
Share on other sites

Email chokes at 10mb or so though. To be brutally honest, if your moving tens to hundreds of megs of data from a machine, someone will notice. May as well pwn a server in a 3rd world country and use that. Make sure you route your data threw as many different legal systems as possible.

Link to comment
Share on other sites

If I had to come up with something quick, I would:

-WinRar command line to split the files into chuncks.

-Blat command line with some fake smtp account and email the chunks to another fake email address that you can log in from anywhere to get what you need.

-Batch it all up and use "at" to send when you need it sent. Since the default profile is system, it will run the batch silently.

However, Im not sure how much someone will not notice... especially depending on the firewall and or av.

Link to comment
Share on other sites

I still say using a web site to collect the data is the best idea. It doesnt have to acutally be a used blog or anything. Just find a free web host that allows php or something like that. And upload the data that way. If the data is to large then do the other idea of zipping it or something into usable chunks. The website doesnt really need to have anything on it. All though it could. You could even use some php code to check if its the program calling it or not. And if it isnt display some nice little page to the user. As for the web site can be shutdown, you can get around that with a secound website. Have the program call home to one site that has the location of the drop point, it then use's this location.

Link to comment
Share on other sites

The way I see it, the trick is in hiding the traffic. For that, the sheer volume of 10s of megs and up is troublesome.

If it was a small amount, you could set up a DNS or NTP server that takes in a bit more info than a normal one would.

In any corporate network you're lucky to get ports 80 and 443 out, and chances are there's a proxy to pass through, so take that into account. Your only option is to run or take over an HTTP drop-on server that you can zip the data out from easily, and disconnect yourself from with plausible deniability.

Try to use some _HEAVY_ compression to reduce the traffic though. Maybe pre-parse some of that data. I mean, seriously... 10s of megabytes? What the hell are you trying to transfer? A full disk backup? You sure you need all that crap?

Maybe it would be better to have a remote place that gets polled by the box every so often. You post a command, it executes it and posts the response. Access without having access. :)

Link to comment
Share on other sites

Ok, consider it's 32 MB. How does that change things? Also, transfer of this data does not need to be secure.

I really like pseudobreed's idea of splitting the data in RAR files and sending out to a junk gmail/yahoo mail/etc account using blat, however three problems come to mind.

1. Blat is an awesome tool for sending attachments through SMTP via command line, but as far as I know blat does not have it's own SMTP server, thus requiring an open SMTP server, or SMTP server from the ISP. Not going to work.

2. AT command schedules tasks really nicely, but the command will show up in the Scheduled Tasks folder in control panel. Sure it's not a biggie but it'd be better if it wasn't that visible. An invisible (to the average user) application that runs on startup might do the trick.

3. "Batch it all up." Now you're speaking my language. Quick and dirty, easy to modify, but one little problem. Not so much with the stealthy. Though I must say I haven't tried using the .vbe from the switchblade to run the command without a visable console. that might solve the problem.

Anyway for what I'm trying to do this is the closest thing to a solution I've seen yet. I'm on all night working on this hack so if you want to get a hold of me I'm on irc.hak5.org #hak5 and skype: username Hak5Darren.

Link to comment
Share on other sites

Oh yes, I like the service idea.

Just have to make sure the remote service is running, create your own that rar's and send the files out.

With Blat out of the picture, Im not sure what you have left to use. Im assuming you are just assuming the user only has ports 80, 110, 443 open?. Or maybe you can port scan real quick to see what outs you have available...

Didnt I hear something over at sploit how some guy sent packets using ping? Im going to look into that. And, I wonder how hard it is to make a SMTP server...

@Cooper

I cant remember the program, maybe firewalk or something, but you could actually ask the firewall what rules it had in place. On some firewalls (PIX for sure) it will allow traffic to pass through if it's in the DMZ. However, that's not a failsafe way of pulling it off. Getting the proxy information is easy as soon as you figure out what broweser they are running. Then you could just piggie back over port 80. Unless SNORT is running on outgoing traffic as well.

Link to comment
Share on other sites

Blat really looks like the best option for this hack. We just need a lightweight, command line, local SMTP relay.

http://sapes.sourceforge.net/docs/configur...html#config.txt

and

http://emailrelay.sourceforge.net/

look ok at first glance. I'm digging deeper right now. If we can get email to send without the use of the 3rd party SMTP server that will fix one of the problems. I do believe I saw a program a while ago that will allow you to register a BAT as a service. If that's the case all we need is a batch file that runs a loop to process a few commands every 6 hours or so.

Actually, know what? As I type this I think there may be a better way to initiate all of this, but it would require just a tiny itty bit of C code. I've got the source of the utility that I'm basing this hack off of. It runs resident and performs a data gathering action when certain paramaters are met. Since it's already resident in memory and initiates the hack when it's needed the best solution would be to at least run the batch once it's done with the data stealing.

I havent touched C since a programming class 4 years ago, but I've been keeping up with PHP which in a very loose way is similar so maybe I'll try a dirty hack and just add a system() command to initiate the batch. Then I just need to find a half decent C compiler for windows and make this bad boy. Assuming that all works the only thing left is to transmit the data, and I think between RAR to split the files, a local SMTP mail transfer agent, and blat, this is totally doable.

I know I'm being a bit vague. I apologize. If you've got C experience and want to help with this I can give you all the details on IRC, PM, skype conf, etc. I'll be up all night working on this so if you're up for some fun let me know.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...