darkcomet from defence to offence 1. # whoami kevin breen @kevthehermit gcia grem gcfe security+ ...
If you can't read please download the document
TRANSCRIPT
- Slide 1
- DarkComet FROM DEFENCE TO OFFENCE 1
- Slide 2
- # whoami Kevin Breen @kevthehermit GCIA GREM GCFE Security+ Independent Researcher Part time blogger 2
- Slide 3
- What my friends think I do 3
- Slide 4
- What Work thinks I do 4
- Slide 5
- What I really do 5
- Slide 6
- Disclaimers Disclaimer One: All views expressed here are mine and are not the views or opinions of my employer. Disclaimer Two: I am not a lawyer. Disclaimer Three: Any use of the tools and techniques described here are at your own discretion and I am not responsible for your actions. Final Disclaimer: The Case Study data that you will see was all generated in my Lab and not from a live engagement. 6
- Slide 7
- Agenda What is DarkComet? Who Uses DarkComet? Defence: The Usual Stuff Offensive: Discovery Traffic Load Testing AKA DOS Remote File Read Case Study 7
- Slide 8
- The What & The Who ATTRIBUTION 8
- Slide 9
- What is DarkComet Remote Access Trojan (RAT) Free and Public 2008 Feature Rich File Access, Keylogger, Download and Execute, WebCam, Audio, Fun Syrian Conflict No Longer Developed No Longer Updated 9
- Slide 10
- Who uses Dark Comet Script Kiddies 10
- Slide 11
- Who uses Dark Comet Script Kiddies E Crime 11 https://heimdalsecurity.com/blog/darkcomet-rat-phishing-campaigns/
- Slide 12
- Who uses Dark Comet 12 https://heimdalsecurity.com/blog/darkcomet-rat-phishing-campaigns/
- Slide 13
- Who uses Dark Comet Script Kiddies E Crime 13
- Slide 14
- Who uses Dark Comet Script Kiddies E Crime 14 https://heimdalsecurity.com/blog/darkcomet-rat-phishing-campaigns/
- Slide 15
- Who uses Dark Comet Script Kiddies E Crime 15 http://www.ibtimes.co.uk/criminals-use-jesuischarlie-slogan-spread-darkcomet-malware-1483553
- Slide 16
- Who uses Dark Comet Script Kiddies E Crime Governments 16
- Slide 17
- Who uses Dark Comet Script Kiddies E Crime Governements 17
- Slide 18
- Defensive 18
- Slide 19
- Defensive Network Host Port IOCs Files Reg Keys Intelligence Passwords Campaign IDs Static Decode http://malwareconfig.com http://malwareconfig.com https://kevthehermit.github.io/RATDecoders 19
- Slide 20
- Offensive DISCOVERY 20
- Slide 21
- Offensive From Binary Host Port Password FTP Credentials Additional Files LOGS Uploads from victims Downloads from our attacker 21
- Slide 22
- 22
- Slide 23
- Offensive From Shodan Port 1604 Banners DC_2 - 8EA4AB05FA7E - 10 DC_2_PASS - C4A6EB42FC74 - 2 DC_4 - B47CB892B702 - 1 DC_4_PASS - 00798B4A0595 - 0 DC_42 - C7CF9C7CD932 - 1 DC_42_PASS - 61A49CF4910B - 0 DC_42F - 155CAD31A61F - 2 DC_42F_PASS - 82695EF04B68 - 2 DC_5 - 1164805C82EE - 13 DC_5_PASS - 2ECB29F71503 - 0 DC_51 - BF7CAB464EFB - 863 DC_51_PASS - DACA20185D99 - 2 23
- Slide 24
- 24
- Slide 25
- Offensive From Shodan Port 1604 Banners Nmap script MassScan Banners DC_2 - 8EA4AB05FA7E DC_2_PASS - C4A6EB42FC74 DC_4 - B47CB892B702 DC_4_PASS - 00798B4A0595 DC_42 - C7CF9C7CD932 DC_42_PASS - 61A49CF4910B DC_42F - 155CAD31A61F DC_42F_PASS - 82695EF04B68 DC_5 - 1164805C82EE DC_5_PASS - 2ECB29F71503 DC_51 - BF7CAB464EFB DC_51_PASS - DACA20185D99 25
- Slide 26
- Offensive TRAFFIC LOAD TESTING 26
- Slide 27
- Traffic Load Testing Host + Port + Password Reverse Connection Infected Host Sends Data Controller Trusts 27
- Slide 28
- DEMO GODS BE KIND DC_TRAFFICGENERATOR.PY 28
- Slide 29
- Remote File Read THE FUN STUFF 29
- Slide 30
- Remote File Read Credits 2012 Shawn Denbow @sdenbow_ Jesse Hertz @hectohertz http://matasano.com/research/PEST-CONTROL.pdf http://matasano.com/research/PEST-CONTROL.pdf What did they find? You can request any file from the DC Controller: In the context of the current user Full Path or Relative to the DC Folder 30
- Slide 31
- Remote File Read DEMO WINDOWS 31
- Slide 32
- Remote File Read DEMO KALI 32
- Slide 33
- Remote File Read 33
- Slide 34
- Remote File Read 34
- Slide 35
- Remote File Read 35
- Slide 36
- Remote File Read Remote Remotes 36
- Slide 37
- Remote File Read 37
- Slide 38
- Remote File Read 38
- Slide 39
- Remote File Read 39
- Slide 40
- Remote File Read 40
- Slide 41
- Remote File Read VNC Logs Windows Event Logs C:\users\%USERNAME%\Appdata\Local\RealVNC\vncserver.log Linux /var/log/vncserver-x11.log ~/.vnc/vncserver-x11.log /var/log/vncserver-virtuald.log 41
- Slide 42
- Remote File Read Many more file paths Use Your Imagination 42
- Slide 43
- Questions ??? 43
- Slide 44
- Thanks for Listening All Tools - https://github.com/kevthehermit/dc-toolkithttps://github.com/kevthehermit/dc-toolkit My Blog https://techanarchy.nethttps://techanarchy.net My Slides My Blog & Bsides @kevthehermit mailto: [email protected] 44