Catchme if you can: TOR tricks for bots, shells and general hacking
No ratings
Presented at Hacker2HackerCon 2014 by
This presentation brings some techniques that can be used by bots, shells (specially Metasploit's meterpreter) and other hacker tools to benefit from the anonimity provided by the TOR network (and possibly other darknets as I2P and Freenet as well). Starting with the proper configuration of TOR clients, will be presented some configuration options and the use of bridges and protocol obfuscators (TOR's Pluggable Transports) to achieve maximum anonymity and low profiling due pattern analysis or timing attacks. This configuration will be then extended to the TOR Hidden Services, in order to provide client authentication and other security advantages. There are plenty of wonderful tools that we use in our hackings that unfortunately aren't proxy aware. TOR uses SOCKS5 interface to enable DNStunneled communication from the external world to the darknet and we can make those proxyunaware tools to perform over the TOR network by using some cool socket binding and bridging tricks. A live demo will be presented (if the internet connection allows, else a video will be presented) of a simple small botnet operating from inside the TOR network (optionally using tor2web relay if TOR network is blocked), using obfuscated bridges, HiddenServicesbased HTTP or IRC C&C, multiple C&C addresses and the use of OTP (Onetime password) algorithms to achieve synchronized randomization (for low detection) and a primitive DGA (domain generator algorithm), lowering the overall profilability of the botnet. A variant of this botnet will be discussed (and models presented) going over a P2P (peertopeer) paradigm (as opposed to the C&C via Hidden Services). For the remote shells, I'll demonstrate how to use a custom payload dropper (Metasploit framework's payloads in this case) that will deploy and configure the TOR client binary, deploy the bind_tcp payload and expose to the TOR network over a HiddenService, for Linux and Windows. The main objective is to present how is possible to gain enormous resilience and low detection rate, for bots and for attacks without using a single exitnode, remaining sunk into the darknet the whole time. Keywords: TOR, linux, python, darknets, anonymity, bots, botnet, metasploit, malware, meterpreter, windows Jan Seidl is a *NIX, BSD, C & Python lover. Security consultant and researcher, focused on SCADA security, dedicated pentester and malware reverse engineer rookie with large experience on administering servers’, networks’ and application’s security. Speaker on many security and freesoftware conferences like Hackers 2 Hackers Conference (BR), CeBIT (DE), Defcon Bangalore (IN), Forum Internacional Software Livre FISL (BR) and many others. Author of the IT & SCADA security blog http://wroot.org and a book on SCADA security (Segurança de Automação Industrial e SCADA, CAMPUS 2014) with several other technical papers published, is currently CTO of TI Safe Segurança da Informação. (http://br.linkedin.com/in/janseidl / http://twitter.com/jseidl)