Firewall Wizards mailing list archives
Re: nmapbot: using instant messaging as a remote administration tool
From: "Paul D. Robertson" <paul () compuwar net>
Date: Wed, 6 Oct 2004 14:21:52 -0400 (EDT)
On Tue, 5 Oct 2004, Abe Usher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've created a small proof of concept named "nmapbot" that shows it is possible to use instant messaging as a platform for remote command and control of computer systems.
To be fair, we've known that allowed channels can be abused for decades, instantiating yet another channel isn't all that novel.
Purpose: - -------- To create a semi-intelligent security bot that uses instant messaging as a platform for receiving commands and returning results. Method: - ------- Using Python, the AOL TOC protocol, Bayesian language processing, and nmap 3.70, I hacked together a little bot that can run nmap and ping. Future editions will include additional commands =)
What's the purpose of including additional commands? Won't that just feed the script kiddies?
Security pundits have been promoting the idea that IM is unsafe for several years...
Actually, some of us have said that user-controlled clients talking to anything outside the organization is unsafe. Blocking a particular IM client or server won't change the fact that (for instance) DNS tunneling works in most networks[1]. Adding channel obfuscation (varying language to delineate an action or target) has been a "thing" in e-mail tunnels for a while, hasn't it?
nmapbot provides some new considerations to an old idea -- using ordinarily legitimate communication channels for unintended purposes.
I really don't see anything new- other than the obvious obfuscation and tunneling, perhaps you can explain the newness to those of us who missed it? Paul [1] A long time ago in a building not so far away, I wrote an anti-spoofing filter test tool that talked back to the mothership via DNS- we had lots and lots of folks run it, and I don't recall it not working anywhere. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- nmapbot: using instant messaging as a remote administration tool Abe Usher (Oct 05)
- Re: nmapbot: using instant messaging as a remote administration tool Kevin (Oct 06)
- Re: nmapbot: using instant messaging as a remote administration tool Paul D. Robertson (Oct 06)