google_socks

A proof of concept demonstrating the use of Google Drive for command and control.

This script is used to allow two sockets to communicate while relaying data through Google Drive.

Check out this blog post for more details.

Setup Process

• Install needed python modules (see below)
• Run "python2 ./google_socks.py --setup" and follow the instructions
  • Create a Google API Project
  • Create OAuth client ID credentials for the project
  • Download the JSON for those credentials
  • Move the credentials file to the google_socks directory and name it "client_secrets.json"
  • Next, the setup script will give you a Google link and ask for a secret
  • Follow the link, authorize the script to use the API, and receive the secret
  • Paste the secret back into the setup script's prompt
  • Copy the provided python code into the google_socks.py file below "# PASTE NEW CREDENTIALS HERE"
  • Enable the Google Drive API
  • All done!
• Read the help information here: "python ./google_socks.py -h"

Needed Python Modules

pip2 install google-auth google-auth-oauthlib google-auth-httplib2 python-dateutil google-api-python-client

Help

Usage: google_socks.py [options]

Options:
  -h, --help  show this help message and exit
  --setup     Setup script with Drive App
  -c CREDS    Index of creds in credentials array to use (default: 0)
  -d          Delete files with names provided to -s and -r
  -l          Enable Socket Mode: Listener
  -i IP       Enable Socket Mode: Connect
  -p PORT     Port number for socket mode (default: 8000)
  -s SEND     Sending channel (default: 0)
  -r RECV     Receiving channel (default: 1)
  -P POLL     Poll every x seconds (default: 0)
  -j JITTER   Amount of randomness in polling (default: 1.0)
  -v          Enable verbose output
  --debug     Enable debug output

Performance Tip

If you need to send data as fast as possible, set no polling (-P 0) or jitter (-j 0). If you get an error from going over the API rate limit, try raising your polling time little by little until you find a sweetspot. I found .2 seconds worked well.

from https://github.com/lukebaggett/google_socks

-----------------------------------------------------

Google Docs becomes Google SOCKS: C2 Over Google Drive

If you’re monitoring a network with internet access, it’s almost inevitable that you’re going to see a lot of traffic to and from Google servers. Blending in with Google traffic by using Google as a relay may help an attacker avoid detection.

How could an attacker use Google as a relay? One way is with the Drive API, which allows automation of uploading and downloading of data through Google Drive. The API is simple and quick enough to allow for relatively solid communication between two systems. SSH, Metasploit Meterpreter sessions, and more can be relayed through Google’s servers using this API.

I’ve created a script called google_socks.py as a proof of concept. The script starts up a Python socket object, and each set of new data from the socket is pushed to drive as a new file of a specific name. Each script knows what files to read due to their names. The below diagram illustrates how two systems can communicate via this method.

The client on the left read files named “File 2”, and creates new files named “File 1”. The client on the right does the opposite. When using this method, the two sockets should be able to function as if they were directly connected, but with additional latency.

Just how well does this work? Let’s look at a few demos:

Basic Data Transfer and Shell

https://youtu.be/obtjoDRLcRs

In this video, both google_socks.py scripts listen on local ports for Netcat clients. The scripts then forward data between their sockets and Google Drive, allowing the Netcat clients to communicate.

The argument “-P 0.2” specifies a polling interval of 0.2 seconds, “-j 0” specifies 0 polling randomization (aka jitter), and “-c 0” tells the script to use the zeroth set of credentials stored in the script. Doing these things helps prevent API request rate limiting, which happens when one API client sends more than 10 queries per second to the server.

SSH

There is a tradeoff involved with using Google Drive as a relay. You get high throughput, but high latency as well. This becomes more noticeable when using things where small packets need to be sent and received in quick succession, like SSH.

https://youtu.be/oBCCU9al3Fs

In the above video there is one instance of google_socks.py listening on the local port 9090, and one instance which connects to a remote SSH server on port 22. The SSH client then connects to local port 9090, and the traffic is forwarded through Google Drive to the remote SSH server.

Meterpreter

https://youtu.be/dF2DzehDeKo

Linux Host: 192.168.56.1

Windows VM: 192.168.56.101

Kali VM: 192.168.56.102

In this demo, Meterpreter communicates with a multi-handler via Google Drive. The Kali VM produces a Meterpreter payload which connects to the Linux Host at 192.168.56.1 port 9090. The Linux host listens on 192.168.56.1 port 9090, then forwards the data to Google Drive. Another google_socks.py script relays data from Drive to the mutli handler on the Kali VM at 192.168.56.102 port 9090.

The payload is executed on the Windows VM and the Meterpreter session opens. It takes a moment for things to load fully so that meterpreter accepts commands, which is why the process list command fails initially. The screenshot command is run, and it works perfectly.

Want to try this out yourself? You can download the PoC script here on my github.

You’ll need to run –setup, which will explain how to set up API access for yourself.

Here are some good resources on the python client library:

• https://google.github.io/google-api-python-client/docs/epy/googleapiclient-module.html
• https://developers.google.com/resources/api-libraries/documentation/drive/v3/python/latest/index.html
• https://developers.google.com/resources/api-libraries/documentation/drive/v2/python/latest/index.html

from https://www.blackhillsinfosec.com/google-docs-becomes-google-socks-c2-over-google-drive/