Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: nmapbot: using instant messaging as a remote administration tool

From: "Paul D. Robertson" <paul () compuwar net>
Date: Wed, 6 Oct 2004 14:21:52 -0400 (EDT)
On Tue, 5 Oct 2004, Abe Usher wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've created a small proof of concept named "nmapbot" that shows it is
possible to use instant messaging as a platform for remote command and
control of computer systems.


To be fair, we've known that allowed channels can be abused for decades,
instantiating yet another channel isn't all that novel.


Purpose:
- --------
To create a semi-intelligent security bot that uses instant messaging as
a platform for receiving commands and returning results.

Method:
- -------
Using Python, the AOL TOC protocol, Bayesian language processing, and
nmap 3.70, I hacked together a little bot that can run nmap and ping.
Future editions will include additional commands =)


What's the purpose of including additional commands?  Won't that just feed
the script kiddies?


Security pundits have been promoting the idea that IM is unsafe for
several years...


Actually, some of us have said that user-controlled clients talking to
anything outside the organization is unsafe.  Blocking a particular IM
client or server won't change the fact that (for instance) DNS tunneling
works in most networks[1].  Adding channel obfuscation (varying language
to delineate an action or target) has been a "thing" in e-mail tunnels for
a while, hasn't it?



nmapbot provides some new considerations to an old idea -- using
ordinarily legitimate communication channels for unintended purposes.


I really don't see anything new- other than the obvious obfuscation and
tunneling, perhaps you can explain the newness to those of us who missed
it?

Paul
[1] A long time ago in a building not so far away, I wrote an
anti-spoofing filter test tool that talked back to the mothership via DNS-
we had lots and lots of folks run it, and I don't recall it not working
anywhere.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: