Presentation is loading. Please wait.

Presentation is loading. Please wait.

From Defence to offence

Published byTabitha Simpson Modified over 9 years ago

Similar presentations

Presentation on theme: "From Defence to offence"— Presentation transcript:

1 From Defence to offence
DarkComet From Defence to offence

2 # whoami Kevin Breen @kevthehermit GCIA GREM GCFE Security+
Independent Researcher Part time blogger

3 What my friends think I do

4 What Work thinks I do

5 What I really do

6 Disclaimers Disclaimer One: Disclaimer Two: Disclaimer Three:
All views expressed here are mine and are not the views or opinions of my employer. Disclaimer Two: I am not a lawyer. Disclaimer Three: Any use of the tools and techniques described here are at your own discretion and I am not responsible for your actions. Final Disclaimer: The Case Study data that you will see was all generated in my Lab and not from a live engagement.

7 Agenda What is DarkComet? Who Uses DarkComet? Defence: Offensive:
The Usual Stuff Offensive: Discovery Traffic Load Testing AKA DOS Remote File Read Case Study

8 The What & The Who Attribution

9 What is DarkComet Remote Access Trojan (RAT) Free and Public 2008
Feature Rich File Access, Keylogger, Download and Execute, WebCam, Audio, Fun Syrian Conflict No Longer Developed No Longer Updated

10 Who uses Dark Comet Script Kiddies

11 Who uses Dark Comet Script Kiddies E Crime

12 Who uses Dark Comet

13 Who uses Dark Comet Script Kiddies E Crime

14 Who uses Dark Comet Script Kiddies E Crime

15 Who uses Dark Comet Script Kiddies E Crime

16 Who uses Dark Comet Script Kiddies E Crime Governments

17 Who uses Dark Comet Script Kiddies E Crime Governements

18 Defensive

19 Defensive Network IOC’s Intelligence Static Decode Host Port Files
Reg Keys Intelligence Passwords Campaign IDs Static Decode

20 Offensive Discovery

21 Offensive From Binary Host Port Password FTP Credentials
Additional Files LOGS Uploads from victims Downloads from our attacker

22

23 Offensive From Shodan Banners Port Banners DC_2 - 8EA4AB05FA7E - 10
1604 Banners Banners DC_2 - 8EA4AB05FA7E - 10 DC_2_PASS - C4A6EB42FC74 - 2 DC_4 - B47CB892B DC_4_PASS B4A DC_42 - C7CF9C7CD DC_42_PASS - 61A49CF4910B - 0 DC_42F - 155CAD31A61F - 2 DC_42F_PASS EF04B68 - 2 DC_ C82EE - 13 DC_5_PASS - 2ECB29F DC_51 - BF7CAB464EFB - 863 DC_51_PASS - DACA20185D99 - 2

24

25 Offensive From Shodan Banners Nmap script MassScan Port Banners
1604 Banners Nmap script MassScan Banners DC_2 - 8EA4AB05FA7E DC_2_PASS - C4A6EB42FC74 DC_4 - B47CB892B702 DC_4_PASS B4A0595 DC_42 - C7CF9C7CD932 DC_42_PASS - 61A49CF4910B DC_42F - 155CAD31A61F DC_42F_PASS EF04B68 DC_ C82EE DC_5_PASS - 2ECB29F71503 DC_51 - BF7CAB464EFB DC_51_PASS - DACA20185D99

26 Offensive Traffic Load testing

27 Traffic Load Testing Host + Port + Password Reverse Connection
Infected Host Sends Data Controller Trusts

28 DEMO GODS BE KIND DC_Trafficgenerator.py

29 Remote File Read The fun stuff

30 Remote File Read Credits What did they find? 2012
Shawn Jesse What did they find? You can request any file from the DC Controller: In the context of the current user Full Path or Relative to the DC Folder

31 Remote File Read Demo Windows

32 Remote File Read Demo Kali

33 Remote File Read

34 Remote File Read

35 Remote File Read

36 Remote File Read Remote Remotes

37 Remote File Read

38 Remote File Read

39 Remote File Read

40 Remote File Read

41 Remote File Read VNC Logs Windows Linux Event Logs
C:\users\%USERNAME%\Appdata\Local\RealVNC\vncserver.log Linux /var/log/vncserver-x11.log ~/.vnc/vncserver-x11.log /var/log/vncserver-virtuald.log

42 Remote File Read Many more file paths Use Your Imagination

43 Questions ???

44 Thanks for Listening All Tools - My Blog – My Slides – My Blog & Bsides @kevthehermit mailto:

Download ppt "From Defence to offence"

Similar presentations

1 Automated SFTP Windows and SUN Linux and SUN. 2 Vocabulary  Client = local=the machine generating the SFTP request  Server = remote = the machine.

1 Automated SFTP Windows and SUN Linux and SUN. 2 Vocabulary  Client = local=the machine generating the SFTP request  Server = remote = the machine.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
20103112 SUK KI KIM New architecture for enhanced security system in linux.

SUK KI KIM New architecture for enhanced security system in linux.
FTP Using FileZilla CS10001 – Computer Literacy. Step 1: Understanding the Interface Quickconnect Bar Message Log Area Local site navigation (either lab.

FTP Using FileZilla CS10001 – Computer Literacy. Step 1: Understanding the Interface Quickconnect Bar Message Log Area Local site navigation (either lab.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.

Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.
VCT May 20, 2009 Sapna Blesson Advisor: Dr.Christopher Pollett.

VCT May 20, 2009 Sapna Blesson Advisor: Dr.Christopher Pollett.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
Using FileZilla to FTP CS10001 – Computer Literacy Kent State University.

Using FileZilla to FTP CS10001 – Computer Literacy Kent State University.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Information Networking Security and Assurance Lab National Chung Cheng University Backdoors and Remote Access Tools INSA Laboratory.

Information Networking Security and Assurance Lab National Chung Cheng University Backdoors and Remote Access Tools INSA Laboratory.
Log Analysis and Intrusion Detection By Srikrishna Gudavalli Venkata Naga Vamsi Krishna Ravi Kiran Yellepeddy.

Log Analysis and Intrusion Detection By Srikrishna Gudavalli Venkata Naga Vamsi Krishna Ravi Kiran Yellepeddy.
INTRODUCTION Toomeeting Conference (TMC) is the easiest and more accessible multimedia videoconferencing solution on market. TMC offers a large portfolio.

INTRODUCTION Toomeeting Conference (TMC) is the easiest and more accessible multimedia videoconferencing solution on market. TMC offers a large portfolio.
GreenSQL Yuli Stremovsky /MSN/Gtalk:

GreenSQL Yuli Stremovsky /MSN/Gtalk:
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Trojan Virus Presented by Andy Lindberg & Denver Bohling.

Trojan Virus Presented by Andy Lindberg & Denver Bohling.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
1 Backdoors and Trojans. ECE 4112 - Internetwork Security 2 Agenda Overview Netcat Trojans/Backdoors.

1 Backdoors and Trojans. ECE Internetwork Security 2 Agenda Overview Netcat Trojans/Backdoors.
4/13/2010.  CSS Meeting  Stephen Crane on Programming Contests  1pm  Building 8 room 345 05/11/10.

4/13/2010.  CSS Meeting  Stephen Crane on Programming Contests  1pm  Building 8 room /11/10.

Similar presentations

Ads by Google