Home page logo

dailydave logo Dailydave mailing list archives

Re: Better, more FLAME-like, penetration testing
From: Dave Aitel <dave () immunityinc com>
Date: Fri, 27 Sep 2013 16:17:36 -0400

[resending because of RAID controller mishaps]

Awesome, sounds like http://www.youtube.com/watch?v=F3hi5nsy1lE , just not as great on payload protection. 

Daniel Uriah Clemens

I knew Wes pretty well, back from when he worked with Justine at ISS.
And of course, keep in mind he named his Mosquito project MOSREF, as a
bit of a play on the CANVAS remote compiler core, MOSDEF. Frankly,
there's only a slight difference between injecting LISP and injecting
Python at that layer.

But the design of INNUENDO is a lot more than "put a dynamic language in
memory" - it's about building an entire stack aimed at covert
communications and behavior. MOSDEF and CORE and Meterpreter and
Mosquito and all manner of things are essentially connection bound. You
can see them as a tree, spawning downwards from patient zero. Even when
they are going over UDP, they are doing so with a persistent connection.
This model is even built into their nomenclature and DB schemas. And
it's wrong.

But compare that to the C&C structure for FLAME (and I can't link to
this enough because it should be required daily reading for everyone in
this business):

That is the operational plan INNUENDO models. Even for the most basic
things: moving a big file from point A to point B. INNUENDO has a built
in resilient bit-torrent like protocol. If the implant can't connect for
a few days, and then gets back online, it'll auto-resume, while at the
same time handling whatever other requests have come in for it.

Admittedly, I think the Python part of it is important. There's
something about being able to adjust your operational plans faster than
incident response teams, while using the same toolkit. But INNUENDO is
not just "can package Python into Lsass" any more than Flame is about
how to build a web proxy in Lua.


Attachment: signature.asc
Description: OpenPGP digital signature

Dailydave mailing list
Dailydave () lists immunityinc com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]