Download presentation
Presentation is loading. Please wait.
1
From Defence to offence
DarkComet From Defence to offence
2
# whoami Kevin Breen @kevthehermit GCIA GREM GCFE Security+
Independent Researcher Part time blogger
3
What my friends think I do
4
What Work thinks I do
5
What I really do
6
Disclaimers Disclaimer One: Disclaimer Two: Disclaimer Three:
All views expressed here are mine and are not the views or opinions of my employer. Disclaimer Two: I am not a lawyer. Disclaimer Three: Any use of the tools and techniques described here are at your own discretion and I am not responsible for your actions. Final Disclaimer: The Case Study data that you will see was all generated in my Lab and not from a live engagement.
7
Agenda What is DarkComet? Who Uses DarkComet? Defence: Offensive:
The Usual Stuff Offensive: Discovery Traffic Load Testing AKA DOS Remote File Read Case Study
8
The What & The Who Attribution
9
What is DarkComet Remote Access Trojan (RAT) Free and Public 2008
Feature Rich File Access, Keylogger, Download and Execute, WebCam, Audio, Fun Syrian Conflict No Longer Developed No Longer Updated
10
Who uses Dark Comet Script Kiddies
11
Who uses Dark Comet Script Kiddies E Crime
12
Who uses Dark Comet
13
Who uses Dark Comet Script Kiddies E Crime
14
Who uses Dark Comet Script Kiddies E Crime
15
Who uses Dark Comet Script Kiddies E Crime
16
Who uses Dark Comet Script Kiddies E Crime Governments
17
Who uses Dark Comet Script Kiddies E Crime Governements
18
Defensive
19
Defensive Network IOC’s Intelligence Static Decode Host Port Files
Reg Keys Intelligence Passwords Campaign IDs Static Decode
20
Offensive Discovery
21
Offensive From Binary Host Port Password FTP Credentials
Additional Files LOGS Uploads from victims Downloads from our attacker
23
Offensive From Shodan Banners Port Banners DC_2 - 8EA4AB05FA7E - 10
1604 Banners Banners DC_2 - 8EA4AB05FA7E - 10 DC_2_PASS - C4A6EB42FC74 - 2 DC_4 - B47CB892B DC_4_PASS B4A DC_42 - C7CF9C7CD DC_42_PASS - 61A49CF4910B - 0 DC_42F - 155CAD31A61F - 2 DC_42F_PASS EF04B68 - 2 DC_ C82EE - 13 DC_5_PASS - 2ECB29F DC_51 - BF7CAB464EFB - 863 DC_51_PASS - DACA20185D99 - 2
25
Offensive From Shodan Banners Nmap script MassScan Port Banners
1604 Banners Nmap script MassScan Banners DC_2 - 8EA4AB05FA7E DC_2_PASS - C4A6EB42FC74 DC_4 - B47CB892B702 DC_4_PASS B4A0595 DC_42 - C7CF9C7CD932 DC_42_PASS - 61A49CF4910B DC_42F - 155CAD31A61F DC_42F_PASS EF04B68 DC_ C82EE DC_5_PASS - 2ECB29F71503 DC_51 - BF7CAB464EFB DC_51_PASS - DACA20185D99
26
Offensive Traffic Load testing
27
Traffic Load Testing Host + Port + Password Reverse Connection
Infected Host Sends Data Controller Trusts
28
DEMO GODS BE KIND DC_Trafficgenerator.py
29
Remote File Read The fun stuff
30
Remote File Read Credits What did they find? 2012
Shawn Jesse What did they find? You can request any file from the DC Controller: In the context of the current user Full Path or Relative to the DC Folder
31
Remote File Read Demo Windows
32
Remote File Read Demo Kali
33
Remote File Read
34
Remote File Read
35
Remote File Read
36
Remote File Read Remote Remotes
37
Remote File Read
38
Remote File Read
39
Remote File Read
40
Remote File Read
41
Remote File Read VNC Logs Windows Linux Event Logs
C:\users\%USERNAME%\Appdata\Local\RealVNC\vncserver.log Linux /var/log/vncserver-x11.log ~/.vnc/vncserver-x11.log /var/log/vncserver-virtuald.log
42
Remote File Read Many more file paths Use Your Imagination
43
Questions ???
44
Thanks for Listening All Tools - My Blog – My Slides – My Blog & Bsides @kevthehermit mailto:
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.