Re: [fw-wiz] nmapbot: using instant messaging as a remote administration tool

From: Kevin (KKadow_at_gmail.com)
Date: 10/06/04

  • Next message: Bennett Todd: "Re: [fw-wiz] Log checking?"
    To: Abe Usher <abe.usher@sharp-ideas.net>
    Date: Wed, 6 Oct 2004 00:15:01 -0500
    
    

    I do not want to discourage you, however this is not new ground.

    On Tue, 05 Oct 2004 00:53:14 -0400, Abe Usher <abe.usher@sharp-ideas.net> wrote:
    > I've created a small proof of concept named "nmapbot" that shows it is
    > possible to use instant messaging as a platform for remote command and
    > control of computer systems.

    I guess you haven't had the joy of dealing with any of the dozens of
    Windows trojans in the past several years (SDbot, etc) which carry
    remote backdoor IRC bots, some of which include nmap explicitly.

    The first documented instance I can find (in a cursory search) of an
    IRC bot with nmap hooks dates to 1999, implemented by Yasholomew
    Yashinski.

    > Purpose:
    > - --------
    > To create a semi-intelligent security bot that uses instant messaging as
    > a platform for receiving commands and returning results.
    >
    > Method:
    > - -------
    > Using Python, the AOL TOC protocol, Bayesian language processing, and
    > nmap 3.70, I hacked together a little bot that can run nmap and ping.
    > Future editions will include additional commands =)

    Bayesian language processing?

    > Security pundits have been promoting the idea that IM is unsafe for
    > several years...

    Absolutely. However this type of "willing agent" insider attack may
    not be a particularly good example of the reasons why pundits are so
    down on IM protocols across security boundaries.

    > nmapbot provides some new considerations to an old idea -- using
    > ordinarily legitimate communication channels for unintended purposes.

    I'll admit that doing this with AOL Instant Messenger may be a new twist.

    You might want to look into tying into GPG to provide authentication
    of the command channel. With the wrong (or right) options, nmap can
    look a lot like a DoS...

    Kevin
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Bennett Todd: "Re: [fw-wiz] Log checking?"