DarkComet FROM DEFENCE TO OFFENCE 1. # whoami Kevin Breen @kevthehermit GCIA GREM GCFE Security+ ...
Preview:
Citation preview
- Slide 1
- DarkComet FROM DEFENCE TO OFFENCE 1
- Slide 2
- # whoami Kevin Breen @kevthehermit GCIA GREM GCFE Security+
Independent Researcher Part time blogger 2
- Slide 3
- What my friends think I do 3
- Slide 4
- What Work thinks I do 4
- Slide 5
- What I really do 5
- Slide 6
- Disclaimers Disclaimer One: All views expressed here are mine
and are not the views or opinions of my employer. Disclaimer Two: I
am not a lawyer. Disclaimer Three: Any use of the tools and
techniques described here are at your own discretion and I am not
responsible for your actions. Final Disclaimer: The Case Study data
that you will see was all generated in my Lab and not from a live
engagement. 6
- Slide 7
- Agenda What is DarkComet? Who Uses DarkComet? Defence: The
Usual Stuff Offensive: Discovery Traffic Load Testing AKA DOS
Remote File Read Case Study 7
- Slide 8
- The What & The Who ATTRIBUTION 8
- Slide 9
- What is DarkComet Remote Access Trojan (RAT) Free and Public
2008 Feature Rich File Access, Keylogger, Download and Execute,
WebCam, Audio, Fun Syrian Conflict No Longer Developed No Longer
Updated 9
- Slide 10
- Who uses Dark Comet Script Kiddies 10
- Slide 11
- Who uses Dark Comet Script Kiddies E Crime 11
https://heimdalsecurity.com/blog/darkcomet-rat-phishing-campaigns/
- Slide 12
- Who uses Dark Comet 12
https://heimdalsecurity.com/blog/darkcomet-rat-phishing-campaigns/
- Slide 13
- Who uses Dark Comet Script Kiddies E Crime 13
- Slide 14
- Who uses Dark Comet Script Kiddies E Crime 14
https://heimdalsecurity.com/blog/darkcomet-rat-phishing-campaigns/
- Slide 15
- Who uses Dark Comet Script Kiddies E Crime 15
http://www.ibtimes.co.uk/criminals-use-jesuischarlie-slogan-spread-darkcomet-malware-1483553
- Slide 16
- Who uses Dark Comet Script Kiddies E Crime Governments 16
- Slide 17
- Who uses Dark Comet Script Kiddies E Crime Governements 17
- Slide 18
- Defensive 18
- Slide 19
- Defensive Network Host Port IOCs Files Reg Keys Intelligence
Passwords Campaign IDs Static Decode http://malwareconfig.com
http://malwareconfig.com https://kevthehermit.github.io/RATDecoders
19
- Slide 20
- Offensive DISCOVERY 20
- Slide 21
- Offensive From Binary Host Port Password FTP Credentials
Additional Files LOGS Uploads from victims Downloads from our
attacker 21
- Slide 22
- 22
- Slide 23
- Offensive From Shodan Port 1604 Banners DC_2 - 8EA4AB05FA7E -
10 DC_2_PASS - C4A6EB42FC74 - 2 DC_4 - B47CB892B702 - 1 DC_4_PASS -
00798B4A0595 - 0 DC_42 - C7CF9C7CD932 - 1 DC_42_PASS - 61A49CF4910B
- 0 DC_42F - 155CAD31A61F - 2 DC_42F_PASS - 82695EF04B68 - 2 DC_5 -
1164805C82EE - 13 DC_5_PASS - 2ECB29F71503 - 0 DC_51 - BF7CAB464EFB
- 863 DC_51_PASS - DACA20185D99 - 2 23
- Slide 24
- 24
- Slide 25
- Offensive From Shodan Port 1604 Banners Nmap script MassScan
Banners DC_2 - 8EA4AB05FA7E DC_2_PASS - C4A6EB42FC74 DC_4 -
B47CB892B702 DC_4_PASS - 00798B4A0595 DC_42 - C7CF9C7CD932
DC_42_PASS - 61A49CF4910B DC_42F - 155CAD31A61F DC_42F_PASS -
82695EF04B68 DC_5 - 1164805C82EE DC_5_PASS - 2ECB29F71503 DC_51 -
BF7CAB464EFB DC_51_PASS - DACA20185D99 25
- Slide 26
- Offensive TRAFFIC LOAD TESTING 26
- Slide 27
- Traffic Load Testing Host + Port + Password Reverse Connection
Infected Host Sends Data Controller Trusts 27
- Slide 28
- DEMO GODS BE KIND DC_TRAFFICGENERATOR.PY 28
- Slide 29
- Remote File Read THE FUN STUFF 29
- Slide 30
- Remote File Read Credits 2012 Shawn Denbow @sdenbow_ Jesse
Hertz @hectohertz http://matasano.com/research/PEST-CONTROL.pdf
http://matasano.com/research/PEST-CONTROL.pdf What did they find?
You can request any file from the DC Controller: In the context of
the current user Full Path or Relative to the DC Folder 30
- Slide 31
- Remote File Read DEMO WINDOWS 31
- Slide 32
- Remote File Read DEMO KALI 32
- Slide 33
- Remote File Read 33
- Slide 34
- Remote File Read 34
- Slide 35
- Remote File Read 35
- Slide 36
- Remote File Read Remote Remotes 36
- Slide 37
- Remote File Read 37
- Slide 38
- Remote File Read 38
- Slide 39
- Remote File Read 39
- Slide 40
- Remote File Read 40
- Slide 41
- Remote File Read VNC Logs Windows Event Logs
C:\users\%USERNAME%\Appdata\Local\RealVNC\vncserver.log Linux
/var/log/vncserver-x11.log ~/.vnc/vncserver-x11.log
/var/log/vncserver-virtuald.log 41
- Slide 42
- Remote File Read Many more file paths Use Your Imagination
42
- Slide 43
- Questions ??? 43
- Slide 44
- Thanks for Listening All Tools -
https://github.com/kevthehermit/dc-toolkithttps://github.com/kevthehermit/dc-toolkit
My Blog https://techanarchy.nethttps://techanarchy.net My Slides My
Blog & Bsides @kevthehermit mailto: kevin@techanarchy.net
44