[prev in list] [next in list] [prev in thread] [next in thread]
List: firewall-wizards
Subject: Re: [fw-wiz] nmapbot: using instant messaging as a remote administration
From: "Paul D. Robertson" <paul () compuwar ! net>
Date: 2004-10-06 18:21:52
Message-ID: Pine.LNX.4.58.0410061408220.26351 () bat ! clueby4 ! org
[Download RAW message or body]
On Tue, 5 Oct 2004, Abe Usher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I've created a small proof of concept named "nmapbot" that shows it is
> possible to use instant messaging as a platform for remote command and
> control of computer systems.
To be fair, we've known that allowed channels can be abused for decades,
instantiating yet another channel isn't all that novel.
> Purpose:
> - --------
> To create a semi-intelligent security bot that uses instant messaging as
> a platform for receiving commands and returning results.
>
> Method:
> - -------
> Using Python, the AOL TOC protocol, Bayesian language processing, and
> nmap 3.70, I hacked together a little bot that can run nmap and ping.
> Future editions will include additional commands =)
What's the purpose of including additional commands? Won't that just feed
the script kiddies?
> Security pundits have been promoting the idea that IM is unsafe for
> several years...
Actually, some of us have said that user-controlled clients talking to
anything outside the organization is unsafe. Blocking a particular IM
client or server won't change the fact that (for instance) DNS tunneling
works in most networks[1]. Adding channel obfuscation (varying language
to delineate an action or target) has been a "thing" in e-mail tunnels for
a while, hasn't it?
>
> nmapbot provides some new considerations to an old idea -- using
> ordinarily legitimate communication channels for unintended purposes.
I really don't see anything new- other than the obvious obfuscation and
tunneling, perhaps you can explain the newness to those of us who missed
it?
Paul
[1] A long time ago in a building not so far away, I wrote an
anti-spoofing filter test tool that talked back to the mothership via DNS-
we had lots and lots of folks run it, and I don't recall it not working
anywhere.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic