Re: [fw-wiz] nmapbot: using instant messaging as a remote administration tool
From: Paul D. Robertson (paul_at_compuwar.net)
To: Abe Usher <firstname.lastname@example.org> Date: Wed, 6 Oct 2004 14:21:52 -0400 (EDT)
On Tue, 5 Oct 2004, Abe Usher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> I've created a small proof of concept named "nmapbot" that shows it is
> possible to use instant messaging as a platform for remote command and
> control of computer systems.
To be fair, we've known that allowed channels can be abused for decades,
instantiating yet another channel isn't all that novel.
> - --------
> To create a semi-intelligent security bot that uses instant messaging as
> a platform for receiving commands and returning results.
> - -------
> Using Python, the AOL TOC protocol, Bayesian language processing, and
> nmap 3.70, I hacked together a little bot that can run nmap and ping.
> Future editions will include additional commands =)
What's the purpose of including additional commands? Won't that just feed
the script kiddies?
> Security pundits have been promoting the idea that IM is unsafe for
> several years...
Actually, some of us have said that user-controlled clients talking to
anything outside the organization is unsafe. Blocking a particular IM
client or server won't change the fact that (for instance) DNS tunneling
works in most networks. Adding channel obfuscation (varying language
to delineate an action or target) has been a "thing" in e-mail tunnels for
a while, hasn't it?
> nmapbot provides some new considerations to an old idea -- using
> ordinarily legitimate communication channels for unintended purposes.
I really don't see anything new- other than the obvious obfuscation and
tunneling, perhaps you can explain the newness to those of us who missed
 A long time ago in a building not so far away, I wrote an
anti-spoofing filter test tool that talked back to the mothership via DNS-
we had lots and lots of folks run it, and I don't recall it not working
Paul D. Robertson "My statements in this message are personal opinions
email@example.com which may have no basis whatsoever in fact."
firstname.lastname@example.org Director of Risk Assessment TruSecure Corporation
firewall-wizards mailing list