Home

Awesome

Flying A False Flag

This repo contains the slides and concept code for my BlackHat USA 2019 talk about Command and Control.

There are three projects in this repo:

CloudRacoon - Clound Hunting

I've provided three scripts for AWS, Azure, and GCP hunting. This involves collecting a random IP, checking it's history for interesting records, and either keeping or releasing it. All of these scripts require valid authentication to the specific provider. AWS is by far the best canidate for collection. The process is fast and there are many orphaned records. It's not uncommon to achieve a 1-3% success rate during a cycle of 100 IPs (taking less than a couple minutes).

Edit 11/2019 - It would appear AWS has begun serving elastic IPs from a small account-specific pool (similar to GCP). This severly limits the diversity of addresses recieved.

> python racoon_aws.py us-west-1 -aK <access_key> -sK <secret_key>

[+] Connected to AWS. Hunting in us-west-1 ... (max: 100)

        +++ 54.241.90.186 : docker.wooagency.com
        +++ 52.8.1.47 : next-donate.sanguinebio.com
        = 52.52.237.229 : 13.52.45.201.hczvxliealbqzvdy.com
        
> python racoon_aws.py -l all -aK <access_key> -sK <secret_key>

[+] us-west-1 has 3

13.52.14.26     :
52.8.1.47       : next-donate.sanguinebio.com
54.241.90.186   : docker.wooagency.com

PostOffice - EWS C2

This project is provided as a python server side, and C++ client side. It requires the most setup with a valid SendGrid API key, authenticated domain, configured MX record, and inbound parse hook.

Setup

  1. Setup a SendGrid account and add an authenticated domain
  2. Select an email address to use, such as c2@[mydomain.com]
  3. Configure the MX record for your mail domain to point to mx.sendgrid.net
  4. Choose a public host for the C2 server, and configure an inbound parse hook in SendGrid (http://[myserver.com]/inbox)

Server

A Python 3 script with uses the bottle HTTP library for inbound hooks, and the sendgrid library for outbound emails.

  1. Put your SG API key and email into post_office.py
  2. Execute the server on your public host to wait for a callback
> python post_office.py

 _____         _   _____ ___ ___ _         
|  _  |___ ___| |_|     |  _|  _|_|___ ___ 
|   __| . |_ -|  _|  |  |  _|  _| |  _| -_|
|__|  |___|___|_| |_____|_| |_| |_|___|___|
        EWS Mail C2 - Proof of Concept

#

Client

A Visual Studio C++ project which compiles into an EXE. It uses WinInet for requests, and is capable of extracting mailbox credentials from the Windows credential vault for authentication.

  1. Place your target email address into client\Exchanger\Exchanger.cpp.
  2. Build the solution and execute. You should recieve a new "callback" on the server.

Notes

Addendum - VirusTotal C2

This is a simple python script the masquerades as both the server in the client. It runs in two phases:

  1. Random data is generated and packing into the HyperlinkBase property of an office document.
  2. The document is uploaded to VT and the script waits until analysis finishes
  3. A comment is made on the new sample using the account credentials provided
  1. The "client" code now pulls a list of comments using only the username of the account
  2. The sample is identified, downloaded, and the random data is extracted.
  3. The data is checked to ensure it matches

Naturally these steps could be performed in seperate code, with each one uploading, tagging, and pulling down samples.

Notes