Re: [fw-wiz] nmapbot: using instant messaging as a remote administration tool

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 10/06/04

  • Next message: R. DuFresne: "[fw-wiz] how prevelant"
    To: Abe Usher <abe.usher@sharp-ideas.net>
    Date: Wed, 6 Oct 2004 14:21:52 -0400 (EDT)
    
    

    On Tue, 5 Oct 2004, Abe Usher wrote:

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > I've created a small proof of concept named "nmapbot" that shows it is
    > possible to use instant messaging as a platform for remote command and
    > control of computer systems.

    To be fair, we've known that allowed channels can be abused for decades,
    instantiating yet another channel isn't all that novel.

    > Purpose:
    > - --------
    > To create a semi-intelligent security bot that uses instant messaging as
    > a platform for receiving commands and returning results.
    >
    > Method:
    > - -------
    > Using Python, the AOL TOC protocol, Bayesian language processing, and
    > nmap 3.70, I hacked together a little bot that can run nmap and ping.
    > Future editions will include additional commands =)

    What's the purpose of including additional commands? Won't that just feed
    the script kiddies?

    > Security pundits have been promoting the idea that IM is unsafe for
    > several years...

    Actually, some of us have said that user-controlled clients talking to
    anything outside the organization is unsafe. Blocking a particular IM
    client or server won't change the fact that (for instance) DNS tunneling
    works in most networks[1]. Adding channel obfuscation (varying language
    to delineate an action or target) has been a "thing" in e-mail tunnels for
    a while, hasn't it?

    >
    > nmapbot provides some new considerations to an old idea -- using
    > ordinarily legitimate communication channels for unintended purposes.

    I really don't see anything new- other than the obvious obfuscation and
    tunneling, perhaps you can explain the newness to those of us who missed
    it?

    Paul
    [1] A long time ago in a building not so far away, I wrote an
    anti-spoofing filter test tool that talked back to the mothership via DNS-
    we had lots and lots of folks run it, and I don't recall it not working
    anywhere.
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: R. DuFresne: "[fw-wiz] how prevelant"