Exploiting Remote System without Being Online

February 6, 2012, by | Start Discussion

Introduction

This paper demonstrates unique kind of communication technique between attacker machine and victim machine during the exploitation of any victim system. Usually, while an attacker exploits the remote system and gets the remote command prompt (remote shell), attacker is only able to execute commands till the session from the remote machine is opened (established). While exploiting the system in a normal way, attacker and the victim system both should be online, if attacker wants to execute some commands in remote machine (Victim Machine). This paper would demonstrate how an attacker can attack a remote victim without being online (attacker may or may be online AND victim may or may not be online).

History
During the exploitation of vulnerable remote system (victim system) by an attacker, after vulnerability injection, attacker sends payload and gets remote command prompt on his/her (attacker’s) machine. In this case of normal payload, the limitation for an attacker is that, once the session is expired or shell is terminated, attacker can’t execute commands in remote machine (victim computer).This white paper demonstrates new type of payload by using which attacker can execute command in remote machine (victim system) without actually directly connecting to victim machine and also fooling Antivirus, Firewalls etc.

My Method
In general scenario, if attacker gets remote command prompt and execute command in the current session then there is direct communication (connection) between attacker and victim machine. But by using this paper’s mechanism we can prevent direct communication (connection) between attacker and victim. For this, we use an intermediate server (zombie) that should be up and running all the time (24×7). In our case, we use this zombie as an email service like Gmail, Yahoo, msn etc. So the whole system works as explained below.

Attacker infects remote system with an Executable, which can be infected by one of the below mentioned methods:

  1. By autorun.inf
  2. During Metasploit Exploitation
  3. Physical access of victim system

Now once Executable is up and running in the remote machine (Victim Machine), when the victim connects to the internet then it first checks the instruction set in Gmail inbox by an attacker. Now let’s say if an attacker wants to execute command ‘ipconfig’ in remote machine (victim machine) then attacker has to send email with subject ‘ipconfig’ to his own email address . Because the username and password is already encrypted in the Executable file in the victim machine (remote machine ), and as victim comes online , that executable file automatically logs in your Gmail account and reads all command instructions which is loaded by attacker.

It executes the commands of attacker’s choice and attaches these results to the attacker’s Gmail account. Attackers simply have to download that attachment which contains command output from victim machine. So there is an email service (Gmail) between attacker and victim machine. That shows, attacker can execute command in victim system but there is no direct connection between attacker and victim machine, and if an attacker uses Tor (The Onion Router Browser) or Anonymizers for accessing the Gmail account then attacker never can be caught    (no reverse traces). It is something like Attacker <->email service <->Victim <->. So life cycle will be as shown below:

Attacker <–> Proxy <–> Email Service <–> Victim

(Tor, Anonymizers) (Gmail, Yahoo, etc.)
(Proxy Case Scenario)

Hands-on-Approach

Stage I

Let’s say you have infected remote system with this exe and you want account info, drive info and network info from the remote machine (victim machine) then you have to send email to your own account (note: which is also listened and shared by injected exe in remote victim machine) with subject containing account_info, driveinfo, networkinfo as shown in the figure on the next page.

Stage II

Now once the email with appropriate subject is sent to your account, now it’s time for remote machine (victim machine) to be online and fetch the instruction given by intruder (in this approach, “Attacker”). As the victim system comes online, it executes appropriate commands of attacker’s need, redirect command output to .data file and finally automatically attach this file to your email account. Hence, by simply downloading this file you will get all the cmd output in attached .data file as shown in below figure.

 

Here in the above figure you can clearly see that, all required outputs are attached in your email address!

Advantages

  1. Advantages are that the attacker is never going to be caught if he/she is using the browser like TOR, Anononymizer, VPNs or Any PROXY…. For accessing the attacking Gmail account.
  2. No Antivirus can detect the Instruction data because all traffic would come from HTTPS And Antivirus Softwares and Network Intrusion Detection Software Detects simply an outbound connection with GMAIL…!
  3. Only a single Gmail account is required. Attacker and victim machine both would be connected to the same account but the attacker knows, and the victim doesn’t!!

Disadvantages
Disadvantage is that, if the victim has a habit of checking the current connections using commands like ‘netstat –n’, then there is a possibility to detect Gmail connection when actually there is no browser activity. But still it is difficult to detect because process is running in Hidden mode.

Conclusion
So by using above technique, attacker has to send commands as a subject to his/her own email address and then it is fetched and executed in victim machine by executable file running in victim machine. And results of that commands are sent back to the attacker’s email account as an attachment. So there is no need to be online for both attacker and victim. And Anti-viruses and Firewalls going to bypass using this technique because Av and Firewall notice that victim system connects to the Gmail (not actually connects to attacker machine for transferring data) and it uses HTTPS encryption of Gmail for transferring the data (no chance of signature based detection because of HTTPS), so they don’t find any threats for victim machine, so no security alarms!

Merchant Bhaumik helps local law-enforcement as a Digital Forensics Investigator and is a Student Of Maharaja SayajiRao University (MSU) Vadodara. Bhaumik is the developer of “IND 360 Intrusion Detection System.

Leave a Reply