Gmail provides email functionality for users and businesses. This means that traffic towards Gmail servers in most of the organisations is permitted. Red team operations from the other side needs to be as stealthy as possible therefore using legitimate protocols such as ICMP and SMTP in order to execute commands to a compromised host is essential. For that purpose there are two important tools on the web Gcat and Gdog which both of them can use Gmail as a command and control server.
Gcat is python based framework that utilizes Gmail in order to act a command and control server. The implant that is contained inside Gcat will regularly beacon with the Gmail inbox and check if there are any new messages with a campaign ID. If there are, the commands contained in these emails will be executed on the compromised host and when a new response is received this information it will be passed to the console.
In order to allow Gcat to communicate with Gmail the following settings needs to be enabled.
The Less secure apps Gmail setting needs to be turned on.
Additionally the IMAP setting needs to be enabled as well from the Google account settings.
The next step is to convert the implant.py file into an executable. There are various ways to achieve that but the easiest is to create a setup.py file which will contain the following code and use py2exe.
# setup.py from distutils.core import setup import py2exe setup(console=['implant.py'])
Running python.exe with the following arguments will create the executable.
From the moment that the implant will executed on the host the attacker would be able to send commands via Gmail.
The following command will list the hosts that are running the implant. Anything before the Windows-post2008Server-6.2.9200-AMD64 is the ID. This can be used in order to interact with the host and send command and also to view the output of these commands.
Gcat gives the ability to execute CMD commands. Therefore it is possible to execute various commands in order to enumerate system information.
By specifying the job id the output of the command will be retrieved.
The same applies for any other command like ipconfig.
Gdog is the successor of Gcat and it is actually the same Command and Control tool but more advanced since it can retrieve geolocation information, it has keylogger functionality, it supports encrypted communication and various other features. However it has more dependencies since it requires the following modules to be installed in order to compile the client.py file into an executable:
Installation of WMI and Enum34 can be done easily by downloading the necessary archives and running the setup.py files with the install argument.
The same Gmail settings needs to be applied as with Gcat (IMAP & Less Secure Apps). Converting the client.py to an executable can be done with the same code as long as all the modules are successfully installed and there are no errors.
# setup.py from distutils.core import setup import py2exe setup(console=['client.py'])
From the moment that the client.exe (implant) will executed on the remote host various commands can be sent through Gmail in an encrypted form.
The following screenshots demonstrate some of the activities that Gdog can perform: