This is default featured slide 1 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 2 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 3 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 4 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 5 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

Showing posts with label C&C. Show all posts
Showing posts with label C&C. Show all posts

squidmagic - Analyze a Web-Based Network Traffic to Detect Central Command and Control (C&C) Servers and Malicious Site

March 18, 2017  , , , ,  


squidmagic is a tool designed to analyze a web-based network traffic to detect central command and control (C&C) servers and Malicious site, using Squid proxy server and Spamhaus.

usage 
squidmagic # python squidmagic.py /var/log/squid3/access.log

                 _     _                       _      
                (_)   | |                     (_)     
 ___  __ _ _   _ _  __| |_ __ ___   __ _  __ _ _  ___ 
/ __|/ _` | | | | |/ _` | '_ ` _ \ / _` |/ _` | |/ __|
\__ \ (_| | |_| | | (_| | | | | | | (_| | (_| | | (__ 
|___/\__, |\__,_|_|\__,_|_| |_| |_|\__,_|\__, |_|\___|
        | |                               __/ |       
        |_|                              |___/        
     Analyzing...

Analyzing by SBL Advisory...
    Spam server detected, ip is 65.182.101.221
Analyzing by SBL_CSS Advisory...
    safe server detected, host or ip is 65.182.101.221
Analyzing by PBL Advisory...
    safe server detected, host or ip is 65.182.101.221

Run server 

<?php
namespace SquidApp\Core;

require dirname(__DIR__) . '/lib/vendor/autoload.php';

$banner = new \SquidApp\Squid();
$squidmagic = new FileSystem();

// output banner
echo $banner->bannerAction();

// Scans a directory for files
$squidmagic->scandirs('squidmagic/Collector path');

// Checks if file exists in certain location 
$squidmagic->fileExists('Collector Path/server.php');

// run server
$squidmagic->openInBackground('Collector Path/lib/bin/');
squidmagic/lib # php squidmagic.php 


                              | |                          
         ___  __ _ _   _ _  __| |_ __ ___   __ _  __ _ _  ___ 
        / __|/ _` | | | | |/ _` | '_ ` _ \ / _` |/ _` | |/ __|
        \__ \ (_| | |_| | | (_| | | | | | | (_| | (_| | | (__ 
        |___/\__, |\__,_|_|\__,_|_| |_| |_|\__,_|\__, |_|\___|
                | |                               __/ |       
                |_|                              |___/ 
                    squidmagic collector started


Read More

BrainDamage - A fully featured backdoor that uses Telegram as a C&C server

March 15, 2017  , , , , , , , , , , , , ,  


A python based backdoor which uses Telegram as C&C server.

                           /\
                          /_.\
                    _,.-'/ `",\'-.,_
                 -~^    /______\`~~-^~:

  ____            _       _____                                   
 |  _ \          (_)     |  __ \                                  
 | |_) |_ __ __ _ _ _ __ | |  | | __ _ _ __ ___   __ _  __ _  ___ 
 |  _ <| '__/ _` | | '_ \| |  | |/ _` | '_ ` _ \ / _` |/ _` |/ _ \
 | |_) | | | (_| | | | | | |__| | (_| | | | | | | (_| | (_| |  __/
 |____/|_|  \__,_|_|_| |_|_____/ \__,_|_| |_| |_|\__,_|\__, |\___|
                                                        __/ |     
                                                       |___/      

--> Coded by: Mehul Jain(mehulj94@gmail.com)
--> Github: https://github.com/mehulj94
--> Twitter: https://twitter.com/wayfarermj
--> For windows only

  ______         _                       
 |  ____|       | |                      
 | |__ ___  __ _| |_ _   _ _ __ ___  ___ 
 |  __/ _ \/ _` | __| | | | '__/ _ \/ __|
 | | |  __/ (_| | |_| |_| | | |  __/\__ \
 |_|  \___|\__,_|\__|\__,_|_|  \___||___/
                                         

--> Persistance
--> USB spreading
--> Port Scanner
--> Router Finder
--> Run shell commands
--> Keylogger
--> Insert keystrokes
--> Record audio
--> Webserver
--> Screenshot logging
--> Download files in the host
--> Execute shutdown, restart, logoff, lock
--> Send drive tree structure
--> Set email template
--> Rename Files
--> Change wallpaper
--> Open website
--> Send Password for
    • Chrome
    • Mozilla
    • Filezilla
    • Core FTP
    • CyberDuck
    • FTPNavigator
    • WinSCP
    • Outlook
    • Putty
    • Skype
    • Generic Network
--> Cookie stealer
--> Send active windows
--> Gather system information
    • Drives list
    • Internal and External IP
    • Ipconfig /all output
    • Platform

Setup
  • Telegram setup:
    • Install Telegram app and search for "BOTFATHER".
    • Type /help to see all possible commands.
    • Click on or type /newbot to create a new bot.
    • Name your bot.
    • You should see a new API token generated for it.
  • Dedicated Gmail account. Remember to check "allow connection from less secure apps" in gmail settings.
  • Set access_token in eclipse.py to token given by the botfather.
  • Set CHAT_ID in eclipse.py. Send a message from the app and use the telegram api to get this chat id.
bot.getMe() will give output {'first_name': 'Your Bot', 'username': 'YourBot', 'id': 123456789}
  • Set copied_startup_filename in Eclipse.py.
  • Set Gmail password and Username in /Breathe/SendData.py

Abilities
  • whoisonline- list active slaves
    This command will list all the active slaves.
  • destroy- delete&clean up
    This command will remove the stub from host and will remove registry entries.
  • cmd- execute command on CMD
    Run shell commands on host
  • download- url (startup, desktop, default)
    This will download files in the host computer.
  • execute- shutdown, restart, logoff, lock
    Execute the following commands
  • screenshot- take screenshot
    Take screenshot of the host of computer.
  • send- passwords, drivetree, driveslist, keystrokes, openwindows
    This command will sends passwords (saved browser passwords, FTP, Putty..), directory tree of host (upto level 2), logged keystrokes and windows which are currently open
  • set- email (0:Default,1:URL,2:Update), filename (0: Itself, 1: Others), keystrokes (text)
    This command can set email template (default, download from url, update current template with text you'll send), rename filenames or insert keystrokes in host.
  • start- website (URL), keylogger, recaudio (time), webserver (Port), spread
    This command can open website, start keylogger, record audio, start webserver, USB Spreading
  • stop- keylogger, webserver
    This command will stop keylogger or webserver
  • wallpaper- change wallpaper (URL)
    Changes wallpaper of host computer
  • find- openports (host, threads, ports), router
    This command will find open ports and the router the host is using
  • help- print this usage

Requirements

Screenshots






For educational purposes only, use at your own responsibility.


Read More
Subscribe to: Posts (Atom)