Scribd
Upload
117 views15 pages

Dropbox For The Empire

This document discusses using Dropbox as a communication channel (C2) for the Empire project. It describes how to generate an API key for Dropbox, configure an Empire listener and stager to use Dropbox, and tips to make the Dropbox traffic look more like normal activity by adding jitter to the connection intervals. The document also analyzes Dropbox network traffic to determine typical packet sizes and connection intervals to better mimic legitimate Dropbox traffic.

Uploaded by

Jean Granados
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
117 views15 pages

Dropbox For The Empire

This document discusses using Dropbox as a communication channel (C2) for the Empire project. It describes how to generate an API key for Dropbox, configure an Empire listener and stager to use Dropbox, and tips to make the Dropbox traffic look more like normal activity by adding jitter to the connection intervals. The document also analyzes Dropbox network traffic to determine typical packet sizes and connection intervals to better mimic legitimate Dropbox traffic.

Uploaded by

Jean Granados
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

Dropbox for the Empire


ON MAY 13, 2017 / BY BNEG

Now that the Empire project has released the Dropbox Listener module to
public with v2, let’s get it setup. For those organizations that are not
blocking Dropbox, this is an excellent and highly reliable C2 channel.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
It can probably go without saying that one of
the coolest things about this module is that
the attacker network is never revealed to the
victim. The downside is that blocking all
Dropbox IP reservations shuts this down. Pro’s
and con’s to be considered if you decide to use
this for an engagement.

This post will walk through getting your API key, configuring a listener and
a stager, and finally some research into why you should tweak your
listener sleep and jitter settings.

To get started you’ll first need to generate a Dropbox API access token.


This will allow both the beacon and the server to authenticate with and use
your Dropbox account for C2 comms. I highly recommend creating a new
Dropbox account for just this purpose.

Generate your API key

1. Create a Dropbox Account


2. Got to “My Apps” on the Dropbox Developers site
3. “Create App” and Choose “Dropbox API”

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
4. Choose “App Folder”
5. Name your app, ie. “EmpireC2”
6. In the settings for your new App, generate a new access token
(picture below)
7. Copy or save your access token somewhere

Generating your access token

Con gure your listener

Now that you have your access token, lets configure a listener in Empire.

(Empire) > listeners


(Empire: listeners) > uselistener dropbox
(Empire: listeners/dropbox) > info

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Your listener module name is probably different

(Empire: listeners/dropbox) > set APIToken [YOUR TOKEN HERE]


(Empire: listeners/dropbox) > execute

Create and execute your stager

(Empire: listeners) > usestager multi/launcher dropbox


(Empire: listeners) > info

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Set any options you may want from the defaults

(Empire: listeners) > execute

You can also generate a stager immediately after executing the listener

(Empire: listeners/dropbox) > launcher powershell

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Base64 encoded PowerShell

Now you’re ready to execute on the target or drop this into the payload of
your choice. Of course this can be used with the regsvr32, hta, and other
stagers available in Empire.

What does this tra c look like on the network?

Using Dropbox is cool and all, but what does our beacon actually look like
on the network? To find out, I fired up Wireshark on my Mac where I
had the Dropbox folder-sync client running. I had no other connections to
Dropbox, so this served as a baseline to view “normal” Dropbox traffic
when files are not changing. In other words, I wanted to know what the
default beacon activity for Dropbox actually was, so I could emulate it
more accurately.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Viewing the captured data I could see that the client performs the TLS
handshake with a packet length fairly evenly distributed between 80-1281
bytes and Dropbox returns a 66 byte response (54% of the traffic),
presumably saying “no change”. The capture filter using known Dropbox
IPs (DNS resolution wasn’t reliable):

net 162.125.0.0/16 or net 45.58.64.0/20 or net 108.160.160.0/20 or net


185.45.8.0/22 or net 199.47.216.0/22

~15 minutes of Dropbox client activity, showing 100ms interval

What I see from this capture is roughly a check-in every 30-60 seconds with
some pseudo-random jitter. Without diving more into Dropbox, I think we

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
can start with a 60sec check-in interval.

Using the same capture filter, this is what a 60 second interval with no
jitter looks like:

~15 minutes of Empire Dropbox C2 activity, showing 100ms interval

That just screams beacon activity. The interval is almost perfectly reliable.
The module performs the TLS handshake with a packet length average of
460 bytes (24% of the traffic) and Dropbox returns a 54 byte response (46%
of the traffic), presumably saying “no change”. I find it interesting that
using the API results in a different response from Dropbox itself.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
I played with some of the options to see if I could more accurately reflect
“normal” Dropbox activity. You can do this on the fly:

(Empire: agents) > sleep all 30 0.75

Which tells all the agents to change their sleep time to 30 seconds, and
randomize the sleep time by 75% of the sleep time (+/- 22.5 seconds).

Its not perfect, but we’re starting to see some randomization as expected.
Furthermore, this is getting closer to looking like real Dropbox beacon
activity. One of the things we don’t have is variable packet sizes. The
desktop client for Dropbox has a much wider range of packet sizes for its
beacon activity, whereas the Dropbox module is much more consistent.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Finally, once you start interacting with your beacon, those packet size
averages are going to go out the window.

Share this:

 Twitter  Facebook 4  Google

Like
Be the first to like this.

EMPIRE INFRASTRUCTURE

PREVIOUS NEXT

Vulnerabilities in Cohu 3960HD Rome Didn’t Fall in a Day: Building A


Resilient Empire C2, Part Two

2 thoughts on “Dropbox for the Empire”

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Pingback: Athena: The CIA’s RAT vs Empire – bneg

Pingback: Purple Team: About Beacons | Critical Informatics

Leave a Reply
Enter your comment here...

SEA CH

Search … 

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
SOCIAL

  

POPULAR POSTS

Empire without PowerShell.exe

Dropbox for the Empire

iTerm2 Customizations for Hackers

Athena: The CIA's RAT vs Empire

Reversing the MDS iNET 900 MHz Radio

Automated Empire Infrastructure

Empire Post Exploitation – Unprivileged Agent to DA Walkthrough

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
MY TWITTER RAMBLINGS

Jeremy (bneg) Retweeted

Freelance Wars
@FreelanceWars

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Apr 2, 2018

Jeremy (bneg) Retweeted

Matthew Green
@matthew_d_green
Replying to @matthew_d_green @karlyeurl
At this point I think the negatives so sufficiently outweigh the positives that it isn’t, to me personally, worth the risk that someone will send me something important via PGP.
As they have in the past.

You are free to make your own decisions.

Apr 13, 2018

TAGS

0-Days empire infrastructure reversing vault7

CATEGO Y CLOUD

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Blue Team Commentary Pentesting Red Team Uncategorized Vulnerabilities War

Story

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD

You might also like