[Dailydave] Code vs bandwidth

Konrads Smelkovs konrads.smelkovs at gmail.com
Tue May 1 18:05:32 UTC 2018

Some time ago Dave defended his very fat Trojan on the account that no one
cares if it’s 4 or 40 megs and then there was that discussion about
bandwidth and i’d like to tie it together:

“The more code and computing capacity you have closer to the object of
interest the less bandwidth you need and vice versa”.

I’ll illustrate this with a few basic examples:

Let’s say you want to portscan a subnet from a compromised PC. You can
either use a tunnel to your metasploit instance  over C2 or you can use
nmap which perhaps an admin installed on the victim’s computer and scan it
from there. In one case you will need low latency link in other case you
are fine with high latency link.

If you want to dump ntdis.dit and copy, it may be that even compressed it
is 5+ GB thereby requiring a high bandwidth link or you could extract
hashes there by loading some code like ntds_extract and get a compressed
file of a megabyte at which point DNS or Email C2 is fine.

If you had computing resources available, you could even crack it there on
the spot.

Code is of course data as well and you need bandwidth to transfer it. Which
is why powershell or .net in general are so exciting because the bulk of
code - .NET Framework is already pre-loaded and 10kb of compressed
powershell can have a lot of advanced functionality which could include
parsing mailboxes for content or whatever.

Or consider cloud computing such as SaaS eg Office365 Sharepoint. In the
old days, say you got root access to the master file share and would want
to search every document for a code word, you would have to transfer all
those terabytes of data to a computer somewhere, open each doc, search it,
etc. Maybe that computer is someone’s laptop on the net, maybe that goes
over C2. A hassle.  In office365 I just log in as admin and search for
keyword and all documents on SP or 1Drive are searched within seconds. The
code and compute resource are immediately there.

Konrads Smelkovs
Applied IT sorcery.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20180501/14ee4dc3/attachment.html>

More information about the Dailydave mailing list