From Defence to offence DarkComet From Defence to offence
# whoami Kevin Breen @kevthehermit GCIA GREM GCFE Security+ Independent Researcher Part time blogger
What my friends think I do
What Work thinks I do
What I really do
Disclaimers Disclaimer One: Disclaimer Two: Disclaimer Three: All views expressed here are mine and are not the views or opinions of my employer. Disclaimer Two: I am not a lawyer. Disclaimer Three: Any use of the tools and techniques described here are at your own discretion and I am not responsible for your actions. Final Disclaimer: The Case Study data that you will see was all generated in my Lab and not from a live engagement.
Agenda What is DarkComet? Who Uses DarkComet? Defence: Offensive: The Usual Stuff Offensive: Discovery Traffic Load Testing AKA DOS Remote File Read Case Study
The What & The Who Attribution
What is DarkComet Remote Access Trojan (RAT) Free and Public 2008 Feature Rich File Access, Keylogger, Download and Execute, WebCam, Audio, Fun Syrian Conflict No Longer Developed No Longer Updated
Who uses Dark Comet Script Kiddies
Who uses Dark Comet Script Kiddies E Crime https://heimdalsecurity.com/blog/darkcomet-rat-phishing-campaigns/
Who uses Dark Comet https://heimdalsecurity.com/blog/darkcomet-rat-phishing-campaigns/
Who uses Dark Comet Script Kiddies E Crime
Who uses Dark Comet Script Kiddies E Crime https://heimdalsecurity.com/blog/darkcomet-rat-phishing-campaigns/
Who uses Dark Comet Script Kiddies E Crime http://www.ibtimes.co.uk/criminals-use-jesuischarlie-slogan-spread-darkcomet-malware-1483553
Who uses Dark Comet Script Kiddies E Crime Governments
Who uses Dark Comet Script Kiddies E Crime Governements
Defensive
Defensive Network IOC’s Intelligence Static Decode Host Port Files Reg Keys Intelligence Passwords Campaign IDs Static Decode http://malwareconfig.com https://kevthehermit.github.io/RATDecoders
Offensive Discovery
Offensive From Binary Host Port Password FTP Credentials Additional Files LOGS Uploads from victims Downloads from our attacker
Offensive From Shodan Banners Port Banners DC_2 - 8EA4AB05FA7E - 10 1604 Banners Banners DC_2 - 8EA4AB05FA7E - 10 DC_2_PASS - C4A6EB42FC74 - 2 DC_4 - B47CB892B702 - 1 DC_4_PASS - 00798B4A0595 - 0 DC_42 - C7CF9C7CD932 - 1 DC_42_PASS - 61A49CF4910B - 0 DC_42F - 155CAD31A61F - 2 DC_42F_PASS - 82695EF04B68 - 2 DC_5 - 1164805C82EE - 13 DC_5_PASS - 2ECB29F71503 - 0 DC_51 - BF7CAB464EFB - 863 DC_51_PASS - DACA20185D99 - 2
Offensive From Shodan Banners Nmap script MassScan Port Banners 1604 Banners Nmap script MassScan Banners DC_2 - 8EA4AB05FA7E DC_2_PASS - C4A6EB42FC74 DC_4 - B47CB892B702 DC_4_PASS - 00798B4A0595 DC_42 - C7CF9C7CD932 DC_42_PASS - 61A49CF4910B DC_42F - 155CAD31A61F DC_42F_PASS - 82695EF04B68 DC_5 - 1164805C82EE DC_5_PASS - 2ECB29F71503 DC_51 - BF7CAB464EFB DC_51_PASS - DACA20185D99
Offensive Traffic Load testing
Traffic Load Testing Host + Port + Password Reverse Connection Infected Host Sends Data Controller Trusts
DEMO GODS BE KIND DC_Trafficgenerator.py
Remote File Read The fun stuff
Remote File Read Credits What did they find? 2012 Shawn Denbow @sdenbow_ Jesse Hertz @hectohertz http://matasano.com/research/PEST-CONTROL.pdf What did they find? You can request any file from the DC Controller: In the context of the current user Full Path or Relative to the DC Folder
Remote File Read Demo Windows
Remote File Read Demo Kali
Remote File Read
Remote File Read
Remote File Read
Remote File Read Remote Remotes
Remote File Read
Remote File Read
Remote File Read
Remote File Read
Remote File Read VNC Logs Windows Linux Event Logs C:\users\%USERNAME%\Appdata\Local\RealVNC\vncserver.log Linux /var/log/vncserver-x11.log ~/.vnc/vncserver-x11.log /var/log/vncserver-virtuald.log
Remote File Read Many more file paths Use Your Imagination
Questions ???
Thanks for Listening All Tools - https://github.com/kevthehermit/dc-toolkit My Blog – https://techanarchy.net My Slides – My Blog & Bsides @kevthehermit mailto: kevin@techanarchy.net