Episode 701 – Botnet Command & Control and Man-in-the-Middle detection
Following our 2010 Shmoocon special we’re joined in studio by security expert and programmer extraordinaire Robin Wood to talk about his proof of concept botnet command and control tool KreiosC2. We also discuss tools for detecting traditional Man-in-the-Middle attacks. And stay tuned for a special season seven announcement.
Botnet Command and Control with Kreios C2
Using social networks as its communications channel,Â Robin Wood‘sÂ Kreios C2 is far more sophisticated than the traditional IRC based approach for controlling hordes of zombie computers. Version 3 was recently released and demoed at the Shmoocon 2010Â Social Zombies talk (32MB AVI).
Man-in-the-Middle Attack Detection
With Robin Wood, master of hardware based Man-in-the-Middle tools, in studio Darren decides to give the traditional ARP poisoning method some love. White-hat love that is. Your typical ARP Poisoning Man-in-the-Middle attack which can be easily performed using tools such asÂ ettercap,Â arpspoof, or evenÂ Cain & Abel on Windows. Generally speaking the goal is to convince the victim, using spoofed ARP packets, that your MAC address is associated with the IP address of another machine on the network — typically the router or gateway.
Of course in the real world the MAC address of your router doesn’t happen to change very often, so if it does it’s a tell-tale sign that something weird is happening. In this segment we demo Irongeek’s ARPWatch-like tool for Windows,Â DecaffeinatID. On the Linux side check outÂ arpwatch.