Re: [fw-wiz] nmapbot: using instant messaging as a remote administration tool

From: Paul D. Robertson (
Date: 10/06/04

  • Next message: R. DuFresne: "[fw-wiz] how prevelant"
    To: Abe Usher <>
    Date: Wed, 6 Oct 2004 14:21:52 -0400 (EDT)

    On Tue, 5 Oct 2004, Abe Usher wrote:

    > Hash: SHA1
    > I've created a small proof of concept named "nmapbot" that shows it is
    > possible to use instant messaging as a platform for remote command and
    > control of computer systems.

    To be fair, we've known that allowed channels can be abused for decades,
    instantiating yet another channel isn't all that novel.

    > Purpose:
    > - --------
    > To create a semi-intelligent security bot that uses instant messaging as
    > a platform for receiving commands and returning results.
    > Method:
    > - -------
    > Using Python, the AOL TOC protocol, Bayesian language processing, and
    > nmap 3.70, I hacked together a little bot that can run nmap and ping.
    > Future editions will include additional commands =)

    What's the purpose of including additional commands? Won't that just feed
    the script kiddies?

    > Security pundits have been promoting the idea that IM is unsafe for
    > several years...

    Actually, some of us have said that user-controlled clients talking to
    anything outside the organization is unsafe. Blocking a particular IM
    client or server won't change the fact that (for instance) DNS tunneling
    works in most networks[1]. Adding channel obfuscation (varying language
    to delineate an action or target) has been a "thing" in e-mail tunnels for
    a while, hasn't it?

    > nmapbot provides some new considerations to an old idea -- using
    > ordinarily legitimate communication channels for unintended purposes.

    I really don't see anything new- other than the obvious obfuscation and
    tunneling, perhaps you can explain the newness to those of us who missed

    [1] A long time ago in a building not so far away, I wrote an
    anti-spoofing filter test tool that talked back to the mothership via DNS-
    we had lots and lots of folks run it, and I don't recall it not working
    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation
    firewall-wizards mailing list

  • Next message: R. DuFresne: "[fw-wiz] how prevelant"

    Relevant Pages